Description
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.
Potential Impact
Access Control
Bypass Protection Mechanism
Mitigations & Prevention
URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.
Related Weaknesses
Frequently Asked Questions
What is CWE-551?
CWE-551 (Incorrect Behavior Order: Authorization Before Parsing and Canonicalization) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
How can CWE-551 be exploited?
Attackers can exploit CWE-551 (Incorrect Behavior Order: Authorization Before Parsing and Canonicalization) to bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-551?
Key mitigations include: URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not dec
What is the severity of CWE-551?
CWE-551 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.