Corgea LogoCorgea Security Hub

CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions

Learn about CWE-647 (Use of Non-Canonical URL Paths for Authorization Decisions), its security impact, exploitation methods, and prevention guidelines.

What is Use of Non-Canonical URL Paths for Authorization Decisions?

• Overview: Use of Non-Canonical URL Paths for Authorization Decisions (CWE-647) occurs when an application makes authorization decisions based on URLs without first converting them to a standard, or canonical, form. This can lead to unauthorized access if the application fails to recognize alternative but equivalent forms of URLs.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by using different URL representations that the authorization logic does not account for.
  • Common attack patterns include using different domain case sensitivity, alternate encodings for characters, IP address instead of domain names, adding or omitting trailing slashes, and specifying default ports explicitly.

• Security Impact:

  • Direct consequences include unauthorized access to restricted resources.
  • Potential cascading effects might include data breaches, privilege escalation, and exposure of sensitive information.
  • Business impact can range from loss of customer trust to legal and regulatory penalties if sensitive data is exposed.

• Prevention Guidelines:

  • Specific code-level fixes include normalizing URLs to a canonical form before making authorization checks.
  • Security best practices involve implementing strict access control policies and a default deny rule for non-canonical URLs.
  • Recommended tools and frameworks include those that enforce URL canonicalization and provide robust access control mechanisms, such as security libraries and frameworks with built-in URL normalization features.
Corgea can automatically detect and fix Use of Non-Canonical URL Paths for Authorization Decisions in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Web Server

Vulnerable Code Example

JavaScript Example

// This JavaScript code checks authorization based on a non-canonical URL path,
// which could be manipulated to bypass security checks.

const express = require('express');
const app = express();

app.use((req, res, next) => {
    // Assume /admin is protected
    if (req.url.startsWith('/admin')) { 
        if (!req.user || !req.user.isAdmin) { 
            return res.status(403).send('Forbidden');
        }
    }
    next();
});

app.get('/admin', (req, res) => {
    res.send('Welcome to the admin panel.');
});

app.listen(3000, () => console.log('Server running on port 3000'));

Vulnerability Explanation:

  • The code checks the req.url to determine if a request is for the /admin path. However, this check is performed on the non-canonical URL path.
  • Attackers can use various URL encodings or path traversal techniques (e.g., /admin%2F, /admin/../admin) to bypass this simple string comparison, potentially gaining unauthorized access.

How to fix Use of Non-Canonical URL Paths for Authorization Decisions?

To fix this issue, it's crucial to use canonical paths when making authorization decisions. Canonicalization is the process of converting data to a standard, normalized form. In the context of URLs, this means decoding and resolving the path to its simplest and most direct form before performing any security checks.

Specific Fixes:

  1. Normalize the URL Path: Use a library or built-in method to canonicalize the URL path.
  2. Validate Authorization Based on Canonical Paths: Ensure that access checks are performed on the canonicalized path to prevent bypasses through encoding tricks or path traversal.

Fixed Code Example

// This JavaScript code uses a canonicalized URL path for authorization decisions,
// preventing bypass via encoding or path manipulation.

const express = require('express');
const path = require('path'); // Import path module for normalization
const app = express();

app.use((req, res, next) => {
    // Canonicalize the URL path
    const canonicalPath = path.normalize(decodeURIComponent(req.url)); // Decode and normalize the URL

    // Assume /admin is protected
    if (canonicalPath === '/admin') { 
        if (!req.user || !req.user.isAdmin) { 
            return res.status(403).send('Forbidden');
        }
    }
    next();
});

app.get('/admin', (req, res) => {
    res.send('Welcome to the admin panel.');
});

app.listen(3000, () => console.log('Server running on port 3000'));

Explanation of the Fix:

  • Canonicalization: The path.normalize() method is used in conjunction with decodeURIComponent() to canonicalize req.url, ensuring the path is in its simplest form before any checks are performed. This prevents attackers from bypassing security checks using path traversal or encoding.
  • Secure Comparison: The authorization decision is now based on the canonicalized path, ensuring that only exact matches to /admin are processed, mitigating the risk of unauthorized access.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions and get remediation guidance

Start for free and no credit card needed.