CWE-551

Overview

CWE ID
551

CWE Name
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

CWE Abstraction
Base

CWE structure
Simple

CWE Status
Incomplete

Description

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

Extended Description

For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before th

Related CWEs

CWE ID	View ID	Nature	Ordinal
863	1000	ChildOf	Primary
696	1000	ChildOf

Related CVEs

CVE
CVE-2023-23924