CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
扩展描述
For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism
潜在缓解措施
阶段: Architecture and Design
描述: URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |