Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

How secure is your Recruitment website? Part 2 - URL Manipulation

Posted By: Thomas Shaw, 1:20pm Saturday 06 June 2009    Print Article

URL manipulation is a common issue faced in all database driven sites such as job boards, resume databases, blogs or any other site where parameters are passed via the URL. By manipulating certain parts of a URL, users may be able to access files they are not supposed to have access to.

URL manipulation, also called URL rewriting, is the process of altering parameters in a URL.

In this example below, the website stores data files on the server with a parameter "resumeid". If the script is not written correctly, we can edit the number and return another resume we may or may not have access to

URL/clientdata.aspx?resumeid=233

Change the "233" to another numeric number, easy!

URL/clientdata.aspx?resumeid=545

If the programmer has not anticipated this possibility, the user may potentially obtain data legitimately. This manipulation is not limited to numbers, you can try letters or special characters. See previous blog post on HTML Special Character #39 - The Apostrophe

To secure your website against URL manipulation, you should check on the following
  • Make sure the server accurately interprets dynamic pages
  • Delete unnecessary script interpreters
  • Prevent HTTP viewing of HTTPS accessible pages. Make sure the server - Protects access to directories containing sensitive data
  • Delete unnecessary configuration options



Article URL: http://www.recruitmentdirectory.com.au/Blog/how-secure-is-your-recruitment-website-part-2-url-manipulation-a199.html

Article Tags: insecure job board recruitment website hacking security url manipulation url hacking url rewriting

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
Refresh
Enter the code you see in the image above (case sensitive). Click on the image to refresh it.
 


Back to Menu Back to Menu



Random Blog Articles

My job site has been hacked. What do I do?
Published: 10:16pm Sunday 05 July 2009

Adlogic Mobile
Published: 7:00pm Thursday 27 January 2011

Integrating Facebook Connect in your job site is not rocket science
Published: 1:08pm Monday 12 April 2010

Oops! Tips - May 2010
Published: 11:23pm Wednesday 12 May 2010

Cut the fat. Expired job ads should not be displayed
Published: 7:00pm Sunday 15 November 2009