CWE-551

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

AI Translation Available

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

Status

incomplete

Abstraction

base

Affected Platforms

Not Technology-Specific Web Based Web Server

Extended Description

AI Translation

For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.

Technical Details

AI Translation

Common Consequences

access control

Impacts

bypass protection mechanism

Potential Mitigations

Phases:

architecture and design

Descriptions:

• URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.

AI Generated Translation

Common Consequences

controllo degli accessi

Impacts

elusione del meccanismo di protezione

Potential Mitigations

Phases:

architettura e design

Descriptions:

• Gli input URL devono essere decodificati e canonicalizzati nella rappresentazione interna corrente dell'applicazione prima di essere convalidati e processati per l'autorizzazione. Assicurati che la tua applicazione non decodifichi lo stesso input due volte. Tali errori potrebbero essere sfruttati per aggirare gli schemi di allowlist introducendo input pericolosi dopo che sono stati verificati.

CWE-551

Common Consequences

Impacts

Potential Mitigations

Common Consequences

Impacts

Potential Mitigations

Iscriviti alla newsletter