Common Weakness Enumeration
Back to CWE stats page
CWE-647
Use of Non-Canonical URL Paths for Authorization Decisions
The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.
Mitigation
Phase: Architecture and Design
Description:
- Make access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form.
Mitigation
Phase: Architecture and Design
Description:
- Reject all alternate path encodings that are not in the expected canonical form.
No CAPEC attack patterns related to this CWE.