Resource Identification and URI Normalization
DirX Access (DXA) is a robust solution for managing access to resources using unique identifiers, these can be for example URIs. This documentation provides an in-depth look at how DXA handles resource identification based on URIs, path traversal attacks, and URI normalization to ensure secure access management.
Resource Identification
DXA can identify resources using URIs, which specify paths to the resources. Policies can be created for paths starting or ending with specific segments. However, URIs can include special characters that affect the resolved target URI. To avoid misinterpreting resources, DXA normalizes the paths of requested resources instead of comparing them as strings.
Path Traversal Attacks
URIs support path segments such as /../, which move one step back in the resource path.
This can be exploited in path traversal attacks, where an attacker accesses unauthorized resources.
For example, an attacker might target a resource excluded from authorization and use path traversal to access a protected resource.
Example attack
An illustration below shows how an attacker might exploit a path traversal vulnerability:
-
The Policy Enforcement Point (PEP) is configured to skip authorization for web applications identified by the context path
/resources/unprotected. -
The attacker sends a request to
/resources/unprotected/../protected. -
The PEP passes the request without authorization, as it starts with the specified context path.
-
The server resolves the path to the protected endpoint, bypassing security controls.
Mitigating Path Traversal Attacks
DXA mitigates such attacks by normalizing requests as soon as they are received by the first request handler. Additionally, external infrastructure such as firewalls, proxies, load balancers, or Web Application Firewalls (WAF) can be configured to prevent these attacks and normalize the URI.
Resource URI Normalization in DXA
Access to resources can be requested in two main ways: directly through the path URI or via a request parameter. DXA normalizes the URI:
-
Direct Path URI: Normalized immediately upon entering the DXA container.
-
Request Parameter: Normalized within the server before identifying the applicable policy.
When a resource (R1) is requested, a request wrapper is used at the DXA container entry, ensuring that the URI does not include any dot fragments that could be misinterpreted. This process adheres to RFC 3986: Uniform Resource Identifier (URI): Generic Syntax..
Normalization takes effect in various scenarios:
Resolving Exclusion for Web Applications
-
Web applications can be excluded from authorization based on context paths.
-
Example: If the application with context path
/app1is excluded, a request to/app1/../app2is resolved to/app2before checking the exclusion.
Multi-PEP assignment
-
DXA can assign PEPs from multi-PEP assignments based on context path and port.
-
The context paths in multi-PEP assignments are compared to the normalized request URI to ensure correct PEP handling.
Authentication policy
-
The URI is always normalized before determining what resource is being accessed and assigning the authentication policy.
XACML policies
When specifying XACML policies, these policies can also include some rules based on the URI.
For example that target of some policy it an URI or URI that starts with some segment.
Inside DirX access whenever an attribute type anyURI is constructed it normalizes the URI first.
This is because the XACML policy could be wrongly interpreted for some matching functions if the URI would be in form including segments with
/../ notations.
Note that if you specify policy for matching string
, strings that would technically be URI might not be normalized.
-
XACML policies may include rules based on URIs.
-
Example: A policy targeting URIs starting with a specific segment normalizes the URI to avoid misinterpretation. This is for the attribute type
anyURI.Stringpolicies that resemble URIs might not be normalized.