CWE-647 使用未经净化的URL路径进行授权决策

Use of Non-Canonical URL Paths for Authorization Decisions

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: High


The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.


If an application defines policy namespaces and makes authorization decisions based on the URL, but it does not require or convert to a canonical URL before making the authorization decision, then it opens the application to attack. For example, if the application only wants to allow access to, then the attacker might be able to bypass this restriction using equivalent URLs such as:

Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule).


  • cwe_Nature: ChildOf cwe_CWE_ID: 863 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 863 cwe_View_ID: 699 cwe_Ordinal: Primary


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

Paradigm: {'cwe_Name': 'Web Based', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
Access Control Bypass Protection Mechanism An attacker may be able to bypass the authorization mechanism to gain access to the otherwise-protected URL.
Confidentiality Read Files or Directories If a non-canonical URL is used, the server may choose to return the contents of the file, instead of pre-processing the file (e.g. as a program).


Architecture and Design


Make access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form.

Architecture and Design


Reject all alternate path encodings that are not in the expected canonical form.


Example from CAPEC (CAPEC ID: 4, "Using Alternative IP Address Encodings"). An attacker identifies an application server that applies a security policy based on the domain and application name, so the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by putting in the IP address of the host the application authentication and authorization controls may be bypassed The attacker relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions.


映射的分类名 ImNode ID Fit Mapped Node Name
The CERT Oracle Secure Coding Standard for Java (2011) IDS02-J Canonicalize path names before validating them