CWE - CWE-647: Using Non-Canonical Paths for Authorization Decisions (1.0)

Home > CWE List > CWE- Individual Dictionary Definition (1.0)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-647: Using Non-Canonical Paths for Authorization Decisions

Individual Definition in a New Window

Using Non-Canonical Paths for Authorization Decisions

Status: Incomplete

Weakness ID: 647 (Weakness Variant)

Description

Summary

If an application defines policy namespaces and makes authorization decisions based on URL containing a particular encoding for the path (e.g. using one way of representing an IP address) without having a default policy to deny access, an alternate (but equivalent) encoding for the path may be used to bypass the authorization checks. Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule).

Likelihood of Exploit

High

Common Consequences

Privilege Escalation

Information Leakage

Enabling Factors for Exploitation

An application specifies its policy namespaces and access control rules based on the path information.

Alternate (but equivalent) encodings exist to represent the same path information that will be understood and accepted by the process consuming the path and granting access to resources.

Potential Mitigations

Make access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form.

Reject all alternate path encodings that are not in the expected canonical form.

Observed Examples

Description

Example from CAPEC (CAPEC ID: 4, "Using Alternative IP Address Encodings") An attacker identifies an application server that applies a security policy based on the domain and application name, so the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by putting in the IP address of the host the application authentication and authorization controls may be bypassed http://192.168.0.1:8080/application. The attacker relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	287	Insufficient Authentication	Development Concepts (primary)699 Research Concepts (primary)1000

Applicable Platforms

Languages

All

Time of Introduction

Architecture and Design

Implementation

Operation

Content History

Modifications

CWE Content Team. MITRE. 2008-09-08. (Internal)

updated Common_Consequences, Relationships

Page Last Updated: September 10, 2008


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us