CWE-425 直接请求(强制性浏览)
Direct Request ('Forced Browsing')
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: unkown
基本描述
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
扩展描述
Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 862 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 862 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 862 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 288 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 288 cwe_View_ID: 699
-
cwe_Nature: ChildOf cwe_CWE_ID: 424 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 424 cwe_View_ID: 699
-
cwe_Nature: CanPrecede cwe_CWE_ID: 471 cwe_View_ID: 1000
-
cwe_Nature: CanPrecede cwe_CWE_ID: 98 cwe_View_ID: 1000
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Confidentiality', 'Integrity', 'Availability', 'Access Control'] | ['Read Application Data', 'Modify Application Data', 'Execute Unauthorized Code or Commands', 'Gain Privileges or Assume Identity'] |
可能的缓解方案
['Architecture and Design', 'Operation']
策略:
Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
Architecture and Design
策略:
Consider using MVC based frameworks such as Struts.
示例代码
例
If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.
attack JSP
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2004-2144 | Bypass authentication via direct request. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2144 |
| CVE-2005-1892 | Infinite loop or infoleak triggered by direct requests. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1892 |
| CVE-2004-2257 | Bypass auth/auth via direct request. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2257 |
| CVE-2005-1688 | Direct request leads to infoleak by error. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1688 |
| CVE-2005-1697 | Direct request leads to infoleak by error. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1697 |
| CVE-2005-1698 | Direct request leads to infoleak by error. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1698 |
| CVE-2005-1685 | Authentication bypass via direct request. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1685 |
| CVE-2005-1827 | Authentication bypass via direct request. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1827 |
| CVE-2005-1654 | Authorization bypass using direct request. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1654 |
| CVE-2005-1668 | Access privileged functionality using direct request. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1668 |
| CVE-2002-1798 | Upload arbitrary files via direct request. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1798 |
Notes
Relationship
Overlaps Modification of Assumed-Immutable Data (MAID), authorization errors, container errors; often primary to other weaknesses such as XSS and SQL injection.
Theoretical
"Forced browsing" is a step-based manipulation involving the omission of one or more steps, whose order is assumed to be immutable. The application does not verify that the first step was performed successfully before the second step. The consequence is typically "authentication bypass" or "path disclosure," although it can be primary to all kinds of weaknesses, especially in languages such as PHP, which allow external modification of assumed-immutable variables.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Direct Request aka 'Forced Browsing' | ||
| OWASP Top Ten 2007 | A10 | CWE More Specific | Failure to Restrict URL Access |
| OWASP Top Ten 2004 | A1 | CWE More Specific | Unvalidated Input |
| OWASP Top Ten 2004 | A2 | CWE More Specific | Broken Access Control |
| WASC | 34 | Predictable Resource Location | |
| Software Fault Patterns | SFP30 | Missing endpoint authentication |
相关攻击模式
- CAPEC-127
- CAPEC-87
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论