Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-551:Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Weakness ID:551
Version:v4.17
Weakness Name:Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

▼Extended Description

For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowed-with-ReviewC863Incorrect Authorization
ChildOfAllowed-with-ReviewC696Incorrect Behavior Order
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 863
Name: Incorrect Authorization
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 696
Name: Incorrect Behavior Order
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC438Behavioral Problems
MemberOfProhibitedC723OWASP Top Ten 2004 Category A2 - Broken Access Control
MemberOfProhibitedC949SFP Secondary Cluster: Faulty Endpoint Authentication
MemberOfProhibitedC1011Authorize Actors
MemberOfProhibitedC1212Authorization Errors
MemberOfProhibitedC1396Comprehensive Categorization: Access Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 438
Name: Behavioral Problems
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 723
Name: OWASP Top Ten 2004 Category A2 - Broken Access Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 949
Name: SFP Secondary Cluster: Faulty Endpoint Authentication
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1011
Name: Authorize Actors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1212
Name: Authorization Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1396
Name: Comprehensive Categorization: Access Control
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-316Bypass Protection Mechanism (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-316
Name: Bypass Protection Mechanism (impact)
▼Relevant To View
Relevant to the view"Architectural Concepts - (1008)"
NatureMappingTypeIDName
MemberOfProhibitedC1011Authorize Actors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1011
Name: Authorize Actors
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC438Behavioral Problems
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 438
Name: Behavioral Problems
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC1212Authorization Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1212
Name: Authorization Errors
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC949SFP Secondary Cluster: Faulty Endpoint Authentication
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 949
Name: SFP Secondary Cluster: Faulty Endpoint Authentication
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
Access ControlN/ABypass Protection Mechanism
N/A
Scope: Access Control
Likelihood: N/A
Impact: Bypass Protection Mechanism
Note:
N/A
▼Potential Mitigations
Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

REALIZATION: This weakness is caused during implementation of an architectural security tactic.

▼Applicable Platforms
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found