Common Weakness Enumeration

CWE-647

Use of Non-Canonical URL Paths for Authorization Decisions

The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.

Mitigation

Phase: Architecture and Design

Description:

  • Make access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form.
Mitigation

Phase: Architecture and Design

Description:

  • Reject all alternate path encodings that are not in the expected canonical form.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page