CWE-425 直接请求(强制性浏览)

Direct Request ('Forced Browsing')

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

扩展描述

Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 862 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 862 cwe_View_ID: 1003 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 862 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 288 cwe_View_ID: 1000

  • cwe_Nature: ChildOf cwe_CWE_ID: 288 cwe_View_ID: 699

  • cwe_Nature: ChildOf cwe_CWE_ID: 424 cwe_View_ID: 1000

  • cwe_Nature: ChildOf cwe_CWE_ID: 424 cwe_View_ID: 699

  • cwe_Nature: CanPrecede cwe_CWE_ID: 471 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 98 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
['Confidentiality', 'Integrity', 'Availability', 'Access Control'] ['Read Application Data', 'Modify Application Data', 'Execute Unauthorized Code or Commands', 'Gain Privileges or Assume Identity']

可能的缓解方案

['Architecture and Design', 'Operation']

策略:

Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.

Architecture and Design

策略:

Consider using MVC based frameworks such as Struts.

示例代码

If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.

attack JSP

http://somesite.com/someapplication/admin.jsp

分析过的案例

标识 说明 链接
CVE-2004-2144 Bypass authentication via direct request. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2144
CVE-2005-1892 Infinite loop or infoleak triggered by direct requests. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1892
CVE-2004-2257 Bypass auth/auth via direct request. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2257
CVE-2005-1688 Direct request leads to infoleak by error. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1688
CVE-2005-1697 Direct request leads to infoleak by error. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1697
CVE-2005-1698 Direct request leads to infoleak by error. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1698
CVE-2005-1685 Authentication bypass via direct request. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1685
CVE-2005-1827 Authentication bypass via direct request. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1827
CVE-2005-1654 Authorization bypass using direct request. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1654
CVE-2005-1668 Access privileged functionality using direct request. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1668
CVE-2002-1798 Upload arbitrary files via direct request. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1798

Notes

Relationship Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection. Theoretical "Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically "authentication bypass" or "path disclosure," although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Direct Request aka 'Forced Browsing'
OWASP Top Ten 2007 A10 CWE More Specific Failure to Restrict URL Access
OWASP Top Ten 2004 A1 CWE More Specific Unvalidated Input
OWASP Top Ten 2004 A2 CWE More Specific Broken Access Control
WASC 34 Predictable Resource Location
Software Fault Patterns SFP30 Missing endpoint authentication

相关攻击模式

  • CAPEC-127
  • CAPEC-87