CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

BaseIncomplete

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

View on MITRE
Back to CWE Lookup

Extended Description

For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.

Technical Details

Structure
Simple

Applicable To

Languages
Platforms

Frequently Asked Questions

What is CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization?+

CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization is a Common Weakness Enumeration (CWE) entry maintained by MITRE. If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.

What are the security consequences of Incorrect Behavior Order: Authorization Before Parsing and Canonicalization?+

If exploited, CWE-551 (Incorrect Behavior Order: Authorization Before Parsing and Canonicalization) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism.

How do you prevent or mitigate Incorrect Behavior Order: Authorization Before Parsing and Canonicalization?+

Recommended mitigations for CWE-551 include: URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-551 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More