Both malicious and curious users may attempt to manipulate URL strings to gain access to bypass access controls or the expected path through a website.
- A URL manipulation attack … is when someone edits the URL text … in the browser's location bar … in order to probe a website. … URLs are easily changed, … and often follow a pattern, … which makes them inviting targets. … Manipulation may be performed by innocent users … who are just curious, … or by hackers who are probing for vulnerabilities. … Editing a URL can reveal private information … or allow users to perform actions … which should be restricted. … Manipulating a URL may reveal a private webpage. … A public website may not have a link to the page, … or the page may be only accessible under certain conditions. … For example, adding preview=true to a URL … might show an unpublished version of the page. … URLs may correspond to a set of files and directories. … Changing the URL can help to map their structure. … Values in a database can also be mapped. … If a page displays a person's contact information … when the URL contains an ID of 27, … then an attacker can try all IDs … to get a full list of the people in that database. …
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting
Skill Level Beginner
Web Programming Foundationswith Morten Rand-Hendriksen58m 44s Beginner
Web Security: Same-Origin Policieswith Sasha Vodnik1h 54m Advanced
1. Security Overview
2. General Security Principles
3. Filter Input, Control Output
4. The Most Common Attacks
Next steps2m 26s
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.