If an application defines policy namespaces and makes authorization decisions based on the URL, but it does not require or convert to a canonical URL before making the authorization decision, then it opens the application to attack. For example, if the application only wants to allow access to http://www.example.com/mypage, then the attacker might be able to bypass this restriction using equivalent URLs such as:
Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule).
Portée | Impact | Probabilité |
---|---|---|
Access Control | Bypass Protection Mechanism Note: An attacker may be able to bypass the authorization mechanism to gain access to the otherwise-protected URL. | |
Confidentiality | Read Files or Directories Note: If a non-canonical URL is used, the server may choose to return the contents of the file, instead of pre-processing the file (e.g. as a program). |
Nom | Organisation | Date | Date de publication | Version |
---|---|---|---|---|
Evgeny Lebanidze | Cigital | Draft 8 |
Nom | Organisation | Date | Commentaire |
---|---|---|---|
CWE Content Team | MITRE | updated Common_Consequences, Relationships | |
CWE Content Team | MITRE | updated Description, Name, Potential_Mitigations, Relationships | |
CWE Content Team | MITRE | updated Common_Consequences | |
CWE Content Team | MITRE | updated Common_Consequences | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Applicable_Platforms, Common_Consequences, Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Relationships | |
CWE Content Team | MITRE | updated Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships | |
CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
CWE Content Team | MITRE | updated Applicable_Platforms, Relationships | |
CWE Content Team | MITRE | updated Description | |
CWE Content Team | MITRE | updated Detection_Factors, Relationships, Time_of_Introduction | |
CWE Content Team | MITRE | updated Mapping_Notes |