SlideShare a Scribd company logo

Url manipulation

Download as PPTX, PDF
Shivam Singh
Shivam Singh

Internet Attack

Internet
1 of 12
URL Manipulation Created By: Shivam Singh
Index  Introduction to URLs  What Is URL Manipulation?  URL Manipulation Attacks  Trial and Error  Directory Traversal  Countermeasures
Introduction to URLs  The URL (Uniform Resource Locator) of a web application is the vector that makes it possible to indicate the requested resource. It is a string of printable ASCII characters that is divided into five parts..  The name of the protocol  ID and password  The name of the server  The port  The access path to the resource
What Is URL manipulation?  URL Manipulation comes with all of the problems stated above about Hidden Form Fields, and creates some new problems as well.  HTML Forms may submit their results using one of two methods: GET or POST. If the method is GET, all form element names and their values will appear in the query string of the next URL the user sees. Tampering with hidden form fields is easy enough, but tampering with query strings is even easier. One need only look at the URL in the browser's address bar.
Continue…  Take the following example; a web page allows the authenticated user to select one of his pre-populated accounts from a drop-down box and debit the account with a fixed unit amount. It's a common scenario. His/her choices are recorded by pressing the submit button. The page is actually storing the entries in form field values and submitting them using a form submit command. The command sends the following HTTP request.  A malicious user could construct his own account number and change the parameters. The new parameters would be sent to the application and be processed accordingly.
URL Manipulation Attacks  By manipulating certain parts of a URL, a hacker can get a web server to deliver web pages he is not supposed to have access to.  On dynamic websites, parameters are mostly passed via the URL as follows:  The data present in the URL are automatically created by the site and when navigating normally, a user simply clicks on the links proposed by the website. http://target/forum/?cat=2
Continue…  If a user manually modifies the parameter, he can try different values, for example:  If the designer has not anticipated this possibility, the hacker may potentially obtain access to an area that is usually protected.  In addition, the hacker can get the site to process an unexpected case, for example: http://target/forum/?cat=6 http://target/forum/?cat=***********
Trial and Error  A hacker may possibly test directories and file extensions randomly in order to find important information. Here a few classic examples:  Search for directories making it possible to administer the site.  Search for a script to reveal information about the remote system.  Search for backup copies. The .bak extension is generally used and is not interpreted by servers by default.  Search for hidden files in the remote system. On UNIX systems, when the site's root directory corresponds to a user's directory, the files created by the system may be accessible via the web.
Directory Traversal  Directory traversal or path traversal attacks involve modifying the tree structure path in the URL in order to force the server to access unauthorized parts of the site.  In a classic example, the user may be forced to gradually move back through the tree structure, particularly in the event that the resource is not accessible
Countermeasures  To secure a web server against URL manipulation attacks, it is necessary to keep a watch on vulnerabilities and regularly apply the patches provided by the web server's publisher.  Moreover, a detailed configuration of the web server helps keep users from surfing on pages they are not supposed to have access to. The web server should therefore be configured as follows:  Prevent the browsing of pages located below the website's root (chroot mechanism)  Disable the display of files present in a directory that does not contain an index file ("Directory Browsing")
Continue…  Delete useless directories and files (including hidden files)  Make sure the server protects access to directories containing sensitive data  Delete unnecessary configuration options  Make sure the server accurately interprets dynamic pages, including backup files (.bak)  Delete unnecessary script interpreters  Prevent HTTP viewing of HTTPS accessible pages.
Thank You… Shivam Singh singh_shivam@ymail.com

Recommended

Web Fundamentals
Web FundamentalsWeb Fundamentals
Web Fundamentalsarunv
 
Brute force attack
Brute force attackBrute force attack
Brute force attackJamil Ali Ahmed
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Introduction to Web Hosting.
Introduction to Web Hosting.Introduction to Web Hosting.
Introduction to Web Hosting.Cloudbells.com
 

Recommended

Web Fundamentals
Web FundamentalsWeb Fundamentals
Web Fundamentalsarunv
 
Brute force attack
Brute force attackBrute force attack
Brute force attackJamil Ali Ahmed
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Password Attack
Password Attack Password Attack
Password Attack Sina Manavi
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Introduction to Web Hosting.
Introduction to Web Hosting.Introduction to Web Hosting.
Introduction to Web Hosting.Cloudbells.com
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
Phishing Website Detection by Machine Learning Techniques Presentation.pdf
Phishing Website Detection by Machine Learning Techniques Presentation.pdfPhishing Website Detection by Machine Learning Techniques Presentation.pdf
Phishing Website Detection by Machine Learning Techniques Presentation.pdfVaralakshmiKC
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
Shadows Effects in CSS
Shadows Effects in CSSShadows Effects in CSS
Shadows Effects in CSSWebtech Learning
 
Css animation
Css animationCss animation
Css animationAaron King
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Hacking and Types of Hacker.
Hacking and Types of Hacker.Hacking and Types of Hacker.
Hacking and Types of Hacker.Coder Tech
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingRishab garg
 
Password management
Password managementPassword management
Password managementWilmington University
 
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...Syed Ubaid Ali Jafri
 
User authentication
User authenticationUser authentication
User authenticationCAS
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking Institute of Information Security (IIS)
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and SessionsNisa Soomro
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingMonika Deswal
 
Phishing
PhishingPhishing
PhishingSaurabhKantSahu1
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingAltacit Global
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Ch-1_.ppt
Ch-1_.pptCh-1_.ppt
Ch-1_.pptberihunmolla2
 

More Related Content

What's hot

Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
Phishing Website Detection by Machine Learning Techniques Presentation.pdf
Phishing Website Detection by Machine Learning Techniques Presentation.pdfPhishing Website Detection by Machine Learning Techniques Presentation.pdf
Phishing Website Detection by Machine Learning Techniques Presentation.pdfVaralakshmiKC
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Hacking and Types of Hacker.
Hacking and Types of Hacker.Hacking and Types of Hacker.
Hacking and Types of Hacker.Coder Tech
 
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...Syed Ubaid Ali Jafri
 
User authentication
User authenticationUser authentication
User authenticationCAS
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and SessionsNisa Soomro
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 

What's hot (20)

Operating system security
Operating system securityOperating system security
Operating system security
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Phishing Website Detection by Machine Learning Techniques Presentation.pdf
Phishing Website Detection by Machine Learning Techniques Presentation.pdfPhishing Website Detection by Machine Learning Techniques Presentation.pdf
Phishing Website Detection by Machine Learning Techniques Presentation.pdf
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-Pro
 
Shadows Effects in CSS
Shadows Effects in CSSShadows Effects in CSS
Shadows Effects in CSS
 
Css animation
Css animationCss animation
Css animation
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Hacking and Types of Hacker.
Hacking and Types of Hacker.Hacking and Types of Hacker.
Hacking and Types of Hacker.
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Password management
Password managementPassword management
Password management
 
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
Securing PoS Terminal - A Technical Guideline on Securing PoS System From Hac...
 
User authentication
User authenticationUser authentication
User authentication
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
PHP Cookies and Sessions
PHP Cookies and SessionsPHP Cookies and Sessions
PHP Cookies and Sessions
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Phishing
PhishingPhishing
Phishing
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Sql injection
Sql injectionSql injection
Sql injection
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 

Similar to Url manipulation

Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdfZani10
 
Html intake 38 lect1
Html intake 38 lect1Html intake 38 lect1
Html intake 38 lect1ghkadous
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Falljtmelton
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity FrameworksRich Helton
 
Web Database
Web DatabaseWeb Database
Web Databaseidroos7
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
Web Technologies Notes - TutorialsDuniya.pdf
Web Technologies Notes - TutorialsDuniya.pdfWeb Technologies Notes - TutorialsDuniya.pdf
Web Technologies Notes - TutorialsDuniya.pdfRaghunathan52
 
Web Technologies Notes - TutorialsDuniya.pdf
Web Technologies Notes - TutorialsDuniya.pdfWeb Technologies Notes - TutorialsDuniya.pdf
Web Technologies Notes - TutorialsDuniya.pdfRaghunathan52
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
Angular - Chapter 7 - HTTP Services
Angular - Chapter 7 - HTTP ServicesAngular - Chapter 7 - HTTP Services
Angular - Chapter 7 - HTTP ServicesWebStackAcademy
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 

Similar to Url manipulation (20)

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Ch-1_.ppt
Ch-1_.pptCh-1_.ppt
Ch-1_.ppt
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf0_Leksion_Web_Servers (1).pdf
0_Leksion_Web_Servers (1).pdf
 
Web Security
Web SecurityWeb Security
Web Security
 
Html intake 38 lect1
Html intake 38 lect1Html intake 38 lect1
Html intake 38 lect1
 
Watch How the Giants Fall
Watch How the Giants FallWatch How the Giants Fall
Watch How the Giants Fall
 
Webbasics
WebbasicsWebbasics
Webbasics
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
 
Web Database
Web DatabaseWeb Database
Web Database
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
 
Web Technologies Notes - TutorialsDuniya.pdf
Web Technologies Notes - TutorialsDuniya.pdfWeb Technologies Notes - TutorialsDuniya.pdf
Web Technologies Notes - TutorialsDuniya.pdf
 
Web Technologies Notes - TutorialsDuniya.pdf
Web Technologies Notes - TutorialsDuniya.pdfWeb Technologies Notes - TutorialsDuniya.pdf
Web Technologies Notes - TutorialsDuniya.pdf
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applications
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Angular - Chapter 7 - HTTP Services
Angular - Chapter 7 - HTTP ServicesAngular - Chapter 7 - HTTP Services
Angular - Chapter 7 - HTTP Services
 
Secure Coding
Secure Coding Secure Coding
Secure Coding
 
gofortution
gofortutiongofortution
gofortution
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 

More from Shivam Singh

Wpa2 psk security measure
Wpa2 psk security measureWpa2 psk security measure
Wpa2 psk security measureShivam Singh
 
The problems of syrian refugees and european union
The problems of syrian refugees and european unionThe problems of syrian refugees and european union
The problems of syrian refugees and european unionShivam Singh
 
Lightweight cryptography
Lightweight cryptographyLightweight cryptography
Lightweight cryptographyShivam Singh
 
Homomorphic encryption in_cloud
Homomorphic encryption in_cloudHomomorphic encryption in_cloud
Homomorphic encryption in_cloudShivam Singh
 
Enhancing security in cloud storage
Enhancing security in cloud storageEnhancing security in cloud storage
Enhancing security in cloud storageShivam Singh
 
Democracy is mobocracy in india
Democracy is mobocracy in indiaDemocracy is mobocracy in india
Democracy is mobocracy in indiaShivam Singh
 
Data security in cloud environment
Data security in cloud environmentData security in cloud environment
Data security in cloud environmentShivam Singh
 

More from Shivam Singh (11)

Wpa2 psk security measure
Wpa2 psk security measureWpa2 psk security measure
Wpa2 psk security measure
 
Virtualization
VirtualizationVirtualization
Virtualization
 
The problems of syrian refugees and european union
The problems of syrian refugees and european unionThe problems of syrian refugees and european union
The problems of syrian refugees and european union
 
Lightweight cryptography
Lightweight cryptographyLightweight cryptography
Lightweight cryptography
 
I pv6 mechanism
I pv6 mechanismI pv6 mechanism
I pv6 mechanism
 
Homomorphic encryption in_cloud
Homomorphic encryption in_cloudHomomorphic encryption in_cloud
Homomorphic encryption in_cloud
 
Enhancing security in cloud storage
Enhancing security in cloud storageEnhancing security in cloud storage
Enhancing security in cloud storage
 
Democracy is mobocracy in india
Democracy is mobocracy in indiaDemocracy is mobocracy in india
Democracy is mobocracy in india
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Data security in cloud environment
Data security in cloud environmentData security in cloud environment
Data security in cloud environment
 
Threads
ThreadsThreads
Threads
 

Recently uploaded

定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 

Recently uploaded (20)

定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 

Url manipulation

  • 2. Index  Introduction to URLs  What Is URL Manipulation?  URL Manipulation Attacks  Trial and Error  Directory Traversal  Countermeasures
  • 3. Introduction to URLs  The URL (Uniform Resource Locator) of a web application is the vector that makes it possible to indicate the requested resource. It is a string of printable ASCII characters that is divided into five parts..  The name of the protocol  ID and password  The name of the server  The port  The access path to the resource
  • 4. What Is URL manipulation?  URL Manipulation comes with all of the problems stated above about Hidden Form Fields, and creates some new problems as well.  HTML Forms may submit their results using one of two methods: GET or POST. If the method is GET, all form element names and their values will appear in the query string of the next URL the user sees. Tampering with hidden form fields is easy enough, but tampering with query strings is even easier. One need only look at the URL in the browser's address bar.
  • 5. Continue…  Take the following example; a web page allows the authenticated user to select one of his pre-populated accounts from a drop-down box and debit the account with a fixed unit amount. It's a common scenario. His/her choices are recorded by pressing the submit button. The page is actually storing the entries in form field values and submitting them using a form submit command. The command sends the following HTTP request.  A malicious user could construct his own account number and change the parameters. The new parameters would be sent to the application and be processed accordingly.
  • 6. URL Manipulation Attacks  By manipulating certain parts of a URL, a hacker can get a web server to deliver web pages he is not supposed to have access to.  On dynamic websites, parameters are mostly passed via the URL as follows:  The data present in the URL are automatically created by the site and when navigating normally, a user simply clicks on the links proposed by the website. http://target/forum/?cat=2
  • 7. Continue…  If a user manually modifies the parameter, he can try different values, for example:  If the designer has not anticipated this possibility, the hacker may potentially obtain access to an area that is usually protected.  In addition, the hacker can get the site to process an unexpected case, for example: http://target/forum/?cat=6 http://target/forum/?cat=***********
  • 8. Trial and Error  A hacker may possibly test directories and file extensions randomly in order to find important information. Here a few classic examples:  Search for directories making it possible to administer the site.  Search for a script to reveal information about the remote system.  Search for backup copies. The .bak extension is generally used and is not interpreted by servers by default.  Search for hidden files in the remote system. On UNIX systems, when the site's root directory corresponds to a user's directory, the files created by the system may be accessible via the web.
  • 9. Directory Traversal  Directory traversal or path traversal attacks involve modifying the tree structure path in the URL in order to force the server to access unauthorized parts of the site.  In a classic example, the user may be forced to gradually move back through the tree structure, particularly in the event that the resource is not accessible
  • 10. Countermeasures  To secure a web server against URL manipulation attacks, it is necessary to keep a watch on vulnerabilities and regularly apply the patches provided by the web server's publisher.  Moreover, a detailed configuration of the web server helps keep users from surfing on pages they are not supposed to have access to. The web server should therefore be configured as follows:  Prevent the browsing of pages located below the website's root (chroot mechanism)  Disable the display of files present in a directory that does not contain an index file ("Directory Browsing")
  • 11. Continue…  Delete useless directories and files (including hidden files)  Make sure the server protects access to directories containing sensitive data  Delete unnecessary configuration options  Make sure the server accurately interprets dynamic pages, including backup files (.bak)  Delete unnecessary script interpreters  Prevent HTTP viewing of HTTPS accessible pages.