Common Weakness Enumeration
Back to CWE stats page
CWE-551
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
Mitigation
Phase: Architecture and Design
Description:
- URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.