URL Manipulation

URL manipulation is one of the easiest attacks to perform. It can be performed by users who are innocently curious or by hackers who are probing for vulnerabilities.

URLs are not just addresses for browsers and servers to use as users go from page to page using links. They are requests from the browser to the server which act as a low-level form of programming. When the browser requests X from the server, the server responds with Y. There is nothing to keep users from entering other "commands" into the browser bar to see what the server will give them back.

URLs are easily edited and often follow a pattern. This makes them inviting targets for manipulation.

Manipulation can include:

  • Adding or changing query parameters
  • Searching for new web pages
  • Accessing similar resources
  • Enumerating values in the database
  • Escalating access privileges
  • Detecting installed software
  • Accessing the server's file system
  • Trying to use values for remote code execution

URL Manipulation Preventions

  • Never consider a URL to be private

    • Not linking to a URL does not mean it will not be found
    • Use access controls to restrict access, not URL visibility
  • Every URL should enforce proper limits

  • Consider edge cases and expect unexpected

  • Every URL should have robust error handling

  • Configure web server to gracefully handle errors and unfound URLs

Fork me on GitHub