{"@ID": "647", "@Name": "Use of Non-Canonical URL Paths for Authorization Decisions", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.", "Extended_Description": {"xhtml:p": ["If an application defines policy namespaces and makes authorization decisions based on the URL, but it does not require or convert to a canonical URL before making the authorization decision, then it opens the application to attack. For example, if the application only wants to allow access to http://www.example.com/mypage, then the attacker might be able to bypass this restriction using equivalent URLs such as:", "Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule)."], "xhtml:ul": {"xhtml:li": ["http://WWW.EXAMPLE.COM/mypage", "http://www.example.com/%6Dypage (alternate encoding)", "http://192.168.1.1/mypage (IP address)", "http://www.example.com/mypage/ (trailing /)", "http://www.example.com:80/mypage"]}}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "863", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "180", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Name": "Web Server", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Implementation", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}, {"Phase": "Operation"}]}, "Likelihood_Of_Exploit": "High", "Common_Consequences": {"Consequence": [{"Scope": "Access Control", "Impact": "Bypass Protection Mechanism", "Note": "An attacker may be able to bypass the authorization mechanism to gain access to the otherwise-protected URL."}, {"Scope": "Confidentiality", "Impact": "Read Files or Directories", "Note": "If a non-canonical URL is used, the server may choose to return the contents of the file, instead of pre-processing the file (e.g. as a program)."}]}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": "Make access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form."}, {"Phase": "Architecture and Design", "Description": "Reject all alternate path encodings that are not in the expected canonical form."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"Intro_Text": "Example from CAPEC (CAPEC ID: 4, \"Using Alternative IP Address Encodings\"). An attacker identifies an application server that applies a security policy based on the domain and application name, so the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by putting in the IP address of the host the application authentication and authorization controls may be bypassed http://192.168.0.1:8080/application. The attacker relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions."}}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "IDS02-J", "Entry_Name": "Canonicalize path names before validating them"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "Evgeny Lebanidze", "Submission_Organization": "Cigital", "Submission_Date": "2008-01-30", "Submission_Version": "Draft 8", "Submission_ReleaseDate": "2008-01-30"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Common_Consequences, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-10-14", "Modification_Version": "1.0.1", "Modification_ReleaseDate": "2008-10-14", "Modification_Comment": "updated Description, Name, Potential_Mitigations, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-12-13", "Modification_Version": "1.11", "Modification_ReleaseDate": "2010-12-13", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Applicable_Platforms, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Relationships, Weakness_Ordinalities"}], "Previous_Entry_Name": {"@Date": "2008-10-14", "#text": "Using Non-Canonical Paths for Authorization Decisions"}}}
