CWE-425: Direct Request ('Forced Browsing')

BaseIncomplete

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

View on MITRE
Back to CWE Lookup

Extended Description

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Learn More

Find Related CVEs

Search for vulnerabilities that exploit CWE-425

CVE vs CWE: What's the Difference?

Understanding vulnerabilities vs weaknesses

Understanding CVSS Scoring

How vulnerability severity is measured

View Full MITRE Entry

Complete technical details and references

CWE-425: Direct Request ('Forced Browsing') | CWE Lookup | Inventive HQ