Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!
URL manipulation is a common issue faced in all database driven sites such as job boards, resume databases, blogs or any other site where parameters are passed via the URL. By manipulating certain parts of a URL, users may be able to access files they are not supposed to have access to.
URL manipulation, also called URL rewriting
, is the process of altering parameters in a URL.
In this example below, the website stores data files on the server with a parameter "resumeid". If the script is not written correctly, we can edit the number and return another resume we may or may not have access toURL/clientdata.aspx?resumeid=233
Change the "233" to another numeric number, easy!URL/clientdata.aspx?resumeid=545
If the programmer has not anticipated this possibility, the user may potentially obtain data legitimately. This manipulation is not limited to numbers, you can try letters or special characters. See previous blog post on HTML Special Character #39 - The Apostrophe
To secure your website against URL manipulation, you should check on the following
Article URL: http://www.recruitmentdirectory.com.au/Blog/how-secure-is-your-recruitment-website-part-2-url-manipulation-a199.html
Article Tags: insecure job board recruitment website hacking security url manipulation url hacking url rewriting Hide Comments (0)
- Make sure the server accurately interprets dynamic pages
- Delete unnecessary script interpreters
- Prevent HTTP viewing of HTTPS accessible pages. Make sure the server - Protects access to directories containing sensitive data
- Delete unnecessary configuration options