# Direct Request ('Forced Browsing') (CWE-425)

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

- Prevalence: High Frequently exploited
- Impact: High 1 high-severity rules
- Prevention: Documented 1 fix examples

**OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1

## Description

Attackers can directly access URLs that should be protected by authentication or authorization. This often occurs when access controls are only enforced on the main navigation but not on direct URL access.

## Prevention

### Python

Add authentication and admin-role checks to all administrative endpoints

## Warning Signs

- [HIGH] administrative endpoints (admin, debug, internal, system) that lack
proper authentication or authori

## Consequences

- Read Application Data
- Modify Application Data
- Gain Privileges

## Mitigations

- Implement server-side access control checks on all protected resources
- Do not rely on client-side access controls alone
- Use a centralized authorization mechanism

## Detection

- Total rules: 1
- Languages: python

## Rules by Language

### Python (1 rules)

- **Exposed Administrative Endpoint** [HIGH]: Detects administrative endpoints (admin, debug, internal, system) that lack
proper authentication or authorization checks. These endpoints should require
admin privileges and be protected from public access.
  - Remediation: Add authentication decorator to admin endpoints.

```python
from flask_login import login_required, current_user
from functools import wraps

def admin_required(f):
    @wraps(f)
    @login_required
    def decorated(*args, **kwargs):
        if not current_user.is_admin:
            abort(403)
        return f(*args, **kwargs)
    return decorated

@app.route('/admin/users')
@admin_required
def admin_users():
    return jsonify(get_users())
```

Learn more: https://shoulder.dev/learn/python/cwe-425/exposed-admin-endpoint