Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.