CWE-425
AllowedDirect Request ('Forced Browsing')
Abstraction: Base · Status: Incomplete
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
269 vulnerabilities reference this CWE, most recent first.
GHSA-RW74-237R-47CJ
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2024-09-10 18:30Mitsubishi Electric SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.
{
"affected": [],
"aliases": [
"CVE-2018-16060"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-15T20:15:00Z",
"severity": "HIGH"
},
"details": "Mitsubishi Electric SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.",
"id": "GHSA-rw74-237r-47cj",
"modified": "2024-09-10T18:30:41Z",
"published": "2022-05-24T19:17:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16060"
},
{
"type": "WEB",
"url": "https://drive.google.com/open?id=1QMHwTnBbIqrTkR0NEpnTKssYdi8vRsHH"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/164538/Mitsubishi-Electric-INEA-SmartRTU-Source-Code-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RWP9-5G7Q-73Q3
Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-01-07 19:31OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openflagr/flagr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20251009103504-fe83dc87aa40"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-0650"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-425"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-07T19:31:31Z",
"nvd_published_at": "2026-01-07T12:17:07Z",
"severity": "CRITICAL"
},
"details": "OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.",
"id": "GHSA-rwp9-5g7q-73q3",
"modified": "2026-01-07T19:31:31Z",
"published": "2026-01-07T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0650"
},
{
"type": "WEB",
"url": "https://github.com/openflagr/flagr/commit/fe83dc87aa404a57554aa5839ac450f55c203570"
},
{
"type": "WEB",
"url": "https://dreyand.rs/code%20review/golang/2026/01/03/0day-speedrun-openflagr-less-1118-authentication-bypass"
},
{
"type": "PACKAGE",
"url": "https://github.com/openflagr/flagr"
},
{
"type": "WEB",
"url": "https://github.com/openflagr/flagr/releases/tag/1.1.19"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openflagr-authentication-bypass-via-prefix-whitelist-path-normalization"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware"
}
GHSA-V7VQ-3X77-87VG
Vulnerability from github – Published: 2022-06-16 23:10 – Updated: 2022-06-16 23:10Impact
What kind of vulnerability is it? Who is impacted?
Authenticated requests to the notebook server with ContentsManager.allow_hidden = False only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed.
Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. ~/.ssh while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed.
Patches
Has the problem been patched? What versions should users upgrade to?
notebook 6.4.12
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Do not run the notebook server in a directory with hidden files, use subdirectories
- Use a custom ContentsManager with additional checks for
self.is_hidden(path)prior to completing actions
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "notebook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.4.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29238"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-16T23:10:10Z",
"nvd_published_at": "2022-06-14T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nAuthenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were \u0027hidden\u0027 but not \u0027inaccessible\u0027). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed.\n\nBecause fully authenticated requests are required, this is of relatively low impact. But if a server\u0027s root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended _means_ by which the files could be accessed.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nnotebook 6.4.12\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n- Do not run the notebook server in a directory with hidden files, use subdirectories\n- Use a custom ContentsManager with additional checks for `self.is_hidden(path)` prior to completing actions\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)\n",
"id": "GHSA-v7vq-3x77-87vg",
"modified": "2022-06-16T23:10:10Z",
"published": "2022-06-16T23:10:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29238"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyter/notebook"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2022-212.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Token bruteforcing."
}
GHSA-V97W-VR8H-FVMM
Vulnerability from github – Published: 2025-10-05 06:30 – Updated: 2025-10-05 06:30A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.
{
"affected": [],
"aliases": [
"CVE-2025-11280"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-05T04:15:35Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in Frappe LMS 2.35.0. Impacted is an unknown function of the file /files/ of the component Assignment Picture Handler. This manipulation causes direct request. The attack may be initiated remotely. The attack\u0027s complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. It is advisable to upgrade the affected component. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.",
"id": "GHSA-v97w-vr8h-fvmm",
"modified": "2025-10-05T06:30:14Z",
"published": "2025-10-05T06:30:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11280"
},
{
"type": "WEB",
"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1"
},
{
"type": "WEB",
"url": "https://gist.github.com/0xHamy/beb840a754f50a7ee6500600147a6ac1#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.327014"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.327014"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.659694"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V994-GGF7-GPJ5
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:22eClass platform < ip.2.5.10.2.1 allows an attacker to use GETS method to request /admin page to bypass the password validation and access management page.
{
"affected": [],
"aliases": [
"CVE-2019-9884"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-25T17:15:00Z",
"severity": "CRITICAL"
},
"details": "eClass platform \u003c ip.2.5.10.2.1 allows an attacker to use GETS method to request /admin page to bypass the password validation and access management page.",
"id": "GHSA-v994-ggf7-gpj5",
"modified": "2024-04-04T01:22:58Z",
"published": "2022-05-24T16:51:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9884"
},
{
"type": "WEB",
"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201904004"
},
{
"type": "WEB",
"url": "https://zeroday.hitcon.org/vulnerability/ZD-2019-00332"
},
{
"type": "WEB",
"url": "http://surl.twcert.org.tw/b7jfz"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VC3P-78QC-H4M8
Vulnerability from github – Published: 2022-05-01 02:01 – Updated: 2025-01-16 21:30Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message.
{
"affected": [],
"aliases": [
"CVE-2005-1688"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-05-20T04:00:00Z",
"severity": "MODERATE"
},
"details": "Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message.",
"id": "GHSA-vc3p-78qc-h4m8",
"modified": "2025-01-16T21:30:54Z",
"published": "2022-05-01T02:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1688"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=111661517716733\u0026w=2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VG8H-HXWQ-MX5R
Vulnerability from github – Published: 2024-07-28 00:30 – Updated: 2024-07-28 00:30A vulnerability classified as problematic has been found in Netgear WN604 up to 20240719. Affected is an unknown function of the file siteSurvey.php. The manipulation leads to direct request. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272556. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-7153"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-27T22:15:01Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in Netgear WN604 up to 20240719. Affected is an unknown function of the file siteSurvey.php. The manipulation leads to direct request. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272556. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-vg8h-hxwq-mx5r",
"modified": "2024-07-28T00:30:33Z",
"published": "2024-07-28T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7153"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.272556"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.272556"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.377056"
},
{
"type": "WEB",
"url": "https://wiki.shikangsi.com/post/share/e8a2a0a0-5e72-4bb1-8805-cf155a89f583"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VH6H-77MP-JG82
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-07-29 00:00The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames
{
"affected": [],
"aliases": [
"CVE-2021-24695"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-08T18:15:00Z",
"severity": "HIGH"
},
"details": "The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames",
"id": "GHSA-vh6h-77mp-jg82",
"modified": "2022-07-29T00:00:50Z",
"published": "2022-05-24T19:19:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24695"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/d7bdaf2b-cdd9-4aee-b1bb-01728160ff25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJ5P-C5RG-HM3W
Vulnerability from github – Published: 2024-02-02 03:30 – Updated: 2024-02-02 03:30IBM PowerSC 1.3, 2.0, and 2.1 fails to properly restrict access to a URL or resource, which may allow a remote attacker to obtain unauthorized access to application functionality and/or resources. IBM X-Force ID: 275115.
{
"affected": [],
"aliases": [
"CVE-2023-50935"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-02T02:15:17Z",
"severity": "MODERATE"
},
"details": "IBM PowerSC 1.3, 2.0, and 2.1 fails to properly restrict access to a URL or resource, which may allow a remote attacker to obtain unauthorized access to application functionality and/or resources. IBM X-Force ID: 275115.\n\n",
"id": "GHSA-vj5p-c5rg-hm3w",
"modified": "2024-02-02T03:30:32Z",
"published": "2024-02-02T03:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50935"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/275115"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7113759"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJ9R-PQP4-6MXR
Vulnerability from github – Published: 2025-12-28 21:30 – Updated: 2025-12-28 21:30A weakness has been identified in PbootCMS up to 3.2.12. Impacted is an unknown function of the file /data/pbootcms.db of the component SQLite Database. Executing manipulation can lead to files or directories accessible. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be exploited. Modifying the configuration settings is advised.
{
"affected": [],
"aliases": [
"CVE-2025-15153"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-28T21:15:54Z",
"severity": "MODERATE"
},
"details": "A weakness has been identified in PbootCMS up to 3.2.12. Impacted is an unknown function of the file /data/pbootcms.db of the component SQLite Database. Executing manipulation can lead to files or directories accessible. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be exploited. Modifying the configuration settings is advised.",
"id": "GHSA-vj9r-pqp4-6mxr",
"modified": "2025-12-28T21:30:25Z",
"published": "2025-12-28T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15153"
},
{
"type": "WEB",
"url": "https://note-hxlab.wetolink.com/share/ALC1iSa8J56A"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.338531"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.338531"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.719814"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
Mitigation
Consider using MVC based frameworks such as Struts.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-143: Detect Unpublicized Web Pages
An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.
CAPEC-144: Detect Unpublicized Web Services
An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable.
CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)
An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.
CAPEC-87: Forceful Browsing
An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.