Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

How secure is your Recruitment website? Part 2 - URL Manipulation

Posted By: Thomas Shaw, 1:20pm Saturday 06 June 2009    Print Article

URL manipulation is a common issue faced in all database driven sites such as job boards, resume databases, blogs or any other site where parameters are passed via the URL. By manipulating certain parts of a URL, users may be able to access files they are not supposed to have access to.

URL manipulation, also called URL rewriting, is the process of altering parameters in a URL.

In this example below, the website stores data files on the server with a parameter "resumeid". If the script is not written correctly, we can edit the number and return another resume we may or may not have access to

URL/clientdata.aspx?resumeid=233

Change the "233" to another numeric number, easy!

URL/clientdata.aspx?resumeid=545

If the programmer has not anticipated this possibility, the user may potentially obtain data legitimately. This manipulation is not limited to numbers, you can try letters or special characters. See previous blog post on HTML Special Character #39 - The Apostrophe

To secure your website against URL manipulation, you should check on the following
  • Make sure the server accurately interprets dynamic pages
  • Delete unnecessary script interpreters
  • Prevent HTTP viewing of HTTPS accessible pages. Make sure the server - Protects access to directories containing sensitive data
  • Delete unnecessary configuration options



Article URL: http://www.recruitmentdirectory.com.au/Blog/how-secure-is-your-recruitment-website-part-2-url-manipulation-a199.html

Article Tags: insecure job board recruitment website hacking security url manipulation url hacking url rewriting

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
Refresh
Enter the code you see in the image above (case sensitive). Click on the image to refresh it.
 


Back to Menu Back to Menu



Random Blog Articles

From a Harvard Idea to the YouTube of Recruiting
Published: 5:53pm Sunday 18 January 2009

Can your job site translate HTML code?
Published: 6:48pm Sunday 04 October 2009

What really grinds my gears
Published: 2:06pm Tuesday 03 February 2009

Gartner's 2009 Magic Quadrant for E-Recruitment Software report
Published: 5:50pm Thursday 10 December 2009

Advanced Twitter use for Recruitment
Published: 4:58pm Wednesday 27 May 2009