CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Weakness ID: 551
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.
For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorizationcheck is performed.
Time of Introduction
Technical Impact: Bypass protection
Phase: Architecture and Design
URL Inputs should be decoded and canonicalized to the application's
current internal representation before being validated and processed for
authorization. Make sure that your application does not decode the same
input twice. Such errors could be used to bypass whitelist schemes by
introducing dangerous inputs after they have been checked.