Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

How secure is your Recruitment website? Part 2 - URL Manipulation

Posted By: Thomas Shaw, 1:20pm Saturday 06 June 2009    Print Article

URL manipulation is a common issue faced in all database driven sites such as job boards, resume databases, blogs or any other site where parameters are passed via the URL. By manipulating certain parts of a URL, users may be able to access files they are not supposed to have access to.

URL manipulation, also called URL rewriting, is the process of altering parameters in a URL.

In this example below, the website stores data files on the server with a parameter "resumeid". If the script is not written correctly, we can edit the number and return another resume we may or may not have access to

URL/clientdata.aspx?resumeid=233

Change the "233" to another numeric number, easy!

URL/clientdata.aspx?resumeid=545

If the programmer has not anticipated this possibility, the user may potentially obtain data legitimately. This manipulation is not limited to numbers, you can try letters or special characters. See previous blog post on HTML Special Character #39 - The Apostrophe

To secure your website against URL manipulation, you should check on the following
  • Make sure the server accurately interprets dynamic pages
  • Delete unnecessary script interpreters
  • Prevent HTTP viewing of HTTPS accessible pages. Make sure the server - Protects access to directories containing sensitive data
  • Delete unnecessary configuration options



Article URL: http://www.recruitmentdirectory.com.au/Blog/how-secure-is-your-recruitment-website-part-2-url-manipulation-a199.html

Article Tags: insecure job board recruitment website hacking security url manipulation url hacking url rewriting

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
Refresh
Enter the code you see in the image above (case sensitive). Click on the image to refresh it.
 


Back to Menu Back to Menu



Random Blog Articles

Ambulance Chasers
Published: 6:43pm Tuesday 24 February 2009

Australian Job Board Statistics - September 2010
Published: 1:16pm Monday 04 October 2010

Tips for Avoiding Website Roadblocks
Published: 3:22pm Wednesday 23 June 2010

Q&A about SimplyHired launcing in Australia & LinkedIn applications
Published: 5:28pm Tuesday 25 November 2008

Is your job board PCI DSS compliant?
Published: 8:30am Monday 07 June 2010