CWE-551 - Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
CWE-551
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Incomplete
- Weakness Name
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
- Description
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.
- Common Consequences
Scope: Access Control
Impact: Bypass Protection Mechanism
- Related Weaknesses
- Release Date:
- 2006-07-19
- Latest Modification Date:
- 2023-06-29
Free security scan for your website