Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

How secure is your Recruitment website? Part 2 - URL Manipulation

Posted By: Thomas Shaw, 1:20pm Saturday 06 June 2009    Print Article

URL manipulation is a common issue faced in all database driven sites such as job boards, resume databases, blogs or any other site where parameters are passed via the URL. By manipulating certain parts of a URL, users may be able to access files they are not supposed to have access to.

URL manipulation, also called URL rewriting, is the process of altering parameters in a URL.

In this example below, the website stores data files on the server with a parameter "resumeid". If the script is not written correctly, we can edit the number and return another resume we may or may not have access to

URL/clientdata.aspx?resumeid=233

Change the "233" to another numeric number, easy!

URL/clientdata.aspx?resumeid=545

If the programmer has not anticipated this possibility, the user may potentially obtain data legitimately. This manipulation is not limited to numbers, you can try letters or special characters. See previous blog post on HTML Special Character #39 - The Apostrophe

To secure your website against URL manipulation, you should check on the following
  • Make sure the server accurately interprets dynamic pages
  • Delete unnecessary script interpreters
  • Prevent HTTP viewing of HTTPS accessible pages. Make sure the server - Protects access to directories containing sensitive data
  • Delete unnecessary configuration options



Article URL: http://www.recruitmentdirectory.com.au/Blog/how-secure-is-your-recruitment-website-part-2-url-manipulation-a199.html

Article Tags: insecure job board recruitment website hacking security url manipulation url hacking url rewriting

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
Refresh
Enter the code you see in the image above (case sensitive). Click on the image to refresh it.
 


Back to Menu Back to Menu



Random Blog Articles

What Thomas is reading - 19 Dec 2008
Published: 12:59am Friday 19 December 2008

Fun and Games working for Domino's Pizza
Published: 8:27pm Monday 09 March 2009

Online Recruitment - UK Draft Code of Practice
Published: 7:30am Wednesday 23 February 2011

Hide recruiter job adverts? No thanks
Published: 1:29pm Thursday 18 December 2008

Job Board Statistics - February 2010
Published: 4:12pm Wednesday 03 March 2010