CWE-551

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Base

Incomplete

Description

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.

Parent Weaknesses (ChildOf)

CWE-696: Incorrect Behavior Order...

CWE-863: Incorrect Authorization...

Related Weaknesses

CWE-41 (PeerOf)

Common Consequences

Scope

Access Control

Impact

Bypass Protection Mechanism

Potential Mitigations

Architecture and Design

URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now