Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Incomplete Base

Structure: Simple

Description

This vulnerability occurs when a web server checks access permissions before fully processing and normalizing a URL, potentially allowing attackers to bypass security controls.

Extended Description

The core issue is a flawed sequence in request handling. If authorization is performed on a raw, unparsed URL, an attacker can craft requests using alternate path representations that the server interprets differently after the security check. For example, directory traversal sequences like '/./' or multiple slashes might not be recognized as equivalent to a standard path during the initial authorization phase. To prevent this, servers must fully parse, resolve, and canonicalize all URLs—converting them to a single, standard absolute form—before evaluating any access rules. This ensures the path being checked is the same one the server will actually use to locate the resource, closing the gap between authorization logic and filesystem access.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection Mechanism

Potential Mitigations 1

Phase: Architecture and Design

URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Incorrect Authorization (CWE-863)

ChildOf:

Incorrect Behavior Order (CWE-696)