Flux rss

URL manipulation attacks

They need your help

Introduction to URLs

The URL (Uniform Resource Locator) of a web application is the vector that makes it possible to indicate the requested resource. It is a string of printable ASCII characters that is divided into five parts:

  • The name of the protocol: this is in some sorts the language used to communicate on the network. The most widely used protocol is the HTTP protocol (HyperText Transfer Protocol), which makes it possible to exchange web pages in HTML format. A variety of other protocols may also be used (FTP, News, Mailto, etc.)
  • ID and password: makes it possible to specify the parameters required to access a secure server. This option is not recommended since the password circulates unscrambled in the URL
  • The name of the server: This is the domain name of the computer hosting the requested resource. Note that it is possible to use the server's IP address.
  • The port number: this is a number associated with a service that tells the server what type of resource is being requested. The port that is associated with the protocol by default is port number 80. When the server's web service is associated with port number 80, specification of the port number is optional.
  • The access path to the resource: This last part tells the server where the resource is located, that is, in general, the location (directory) and the requested file name.

A URL has the following structure:

Protocol Password (optional) Server name Port
(optional if 80)		 Path
http:// user:password@ www.commentcamarche.net :80 /glossair/glossair.php3

The URL can make it possible to send parameters to the server by following the file name with a question mark and then data in ASCII format. A URL is then a string of characters with the following format:

http://en.kioskea.net/forum/?cat=1&page=2

URL manipulation

By manipulating certain parts of a URL, a hacker can get a web server to deliver web pages he is not supposed to have access to.

On dynamic websites, parameters are mostly passed via the URL as follows: 

http://target/forum/?cat=2

The data present in the URL are automatically created by the site and when navigating normally, a user simply clicks on the links proposed by the website. If a user manually modifies the parameter, he can try different values, for example: 

http://target/forum/?cat=6

If the designer has not anticipated this possibility, the hacker may potentially obtain access to an area that is usually protected.

In addition, the hacker can get the site to process an unexpected case, for example: 

http://target/forum/?cat=***********
In the above example, if the site's designer has not anticipated the case where the data is not a number, the site may enter an unexpected state and reveal information in an error message.

Trial and error

A hacker may possibly test directories and file extensions randomly in order to find important information. Here a few classic examples:

  • Search for directories making it possible to administer the site: 
    http://target/admin/
http://target/admin.cgi
  • Search for a script to reveal information about the remote system: 
    http://target/phpinfo.php3
  • Search for backup copies. The .bak extension is generally used and is not interpreted by servers by default, which can cause a script to be displayed: 
    http://target/.bak
  • Search for hidden files in the remote system. On UNIX systems, when the site's root directory corresponds to a user's directory, the files created by the system may be accessible via the web: 
    http://target/.bash_history
http://target/.htaccess

Directory traversal

So-called directory traversal or path traversal attacks involve modifying the tree structure path in the URL in order to force the server to access unauthorized parts of the site.

In a classic example, the user may be forced to gradually move back through the tree structure, particularly in the event that the resource is not accessible, for example: 

http://target/base/test/ascii.php3
http://target/base/test/
http://target/base/

On vulnerable servers, attackers can simply move back through the path with several "../" type strings: 

http://target/../../../../directory/file

More advanced attacks encode certain characters:

  • either in the form of URL encoding: 
    http://target/..%2F..%2F..%2Fdirectory/file
  • or with a Unicode notation: 
    http://target/..%u2216..%u2216directory/file

Many dynamic sites pass the name of pages to be displayed as parameters in a form similar to the following: 

http://target/cgi-bin/script.cgi?url=index.htm

If no verifications are carried out, a hacker may modify the URL manually in order to request access to a site resource he does not have direct access to, for example: 

http://target/cgi-bin/script.cgi?url=script.cgi

Countermeasures

To secure a web server against URL manipulation attacks, it is necessary to keep a watch on vulnerabilities and regularly apply the patches provided by the web server's publisher.

Moreover, a detailed configuration of the web server helps keep users from surfing on pages they are not supposed to have access to. The web server should therefore be configured as follows:

  • Prevent the browsing of pages located below the website's root (chroot mechanism);
  • Disable the display of files present in a directory that does not contain an index file ("Directory Browsing");
  • Delete useless directories and files (including hidden files);
  • Make sure the server protects access to directories containing sensitive data;
  • Delete unnecessary configuration options;
  • Make sure the server accurately interprets dynamic pages, including backup files (.bak);
  • Delete unnecessary script interpreters;
  • Prevent HTTP viewing of HTTPS accessible pages.
This document entitled « URL manipulation attacks » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.

Résultats pour URL manipulation attacks

Internet - Uniform Resource Locator A URL (Uniform Resource Locator) is a universal naming format used to indicate a resource on the Internet. It is a printable ASCII character string which breaks down into five parts: The name of the protocol: i.e. in a way the language used to... en.kioskea.net/internet/url.php3
Attacks - Cross-Site Scripting Cross-Site Scripting (sometimes abbreviated XSS or CSS) attacks are attacks targeting websites that dynamically display user content without checking and encoding the information entered by users. Cross-Site Scripting attacks force a website to... en.kioskea.net/attaques/cross-site-scripting.php3
Attacks - Web server attack The first network attacks exploited vulnerabilities related to the implementation of TCP/IP protocol suites. With the gradual correction of these vulnerabilities, attacks have shifted to application layers and particularly the web, given that most... en.kioskea.net/attaques/attaques-web.php3

Résultats pour URL manipulation attacks

How to turn a URL into a hyperlinkHow to turn a URL into a hyperlink If you are using PHP, there is a simple way to turn a URL into a hyperlink when inserting the address into your PHP document. This process is mostly used to ease the users' search of external websites or... en.kioskea.net/faq/sujet-643-how-to-turn-a-url-into-a-hyperlink
Free alternatives to PhotoshopAlternatives to Photoshop Behemot Graphic Editor GIMP Image Well Pixen Adobe’s Photoshop is a very intuitive program that provides you with numerous features that allow image editing and manipulation. No wonder that it is... en.kioskea.net/faq/sujet-124-free-alternatives-to-photoshop
Fix a rotated screen problemFix a rotated screen problem Solution 1 Solution 2 Solution 3 Solution 4 If you are facing a 90/180 degrees rotation issue with your displayed screen, this can be either due to a problem with your graphic card or a wrong manipulation... en.kioskea.net/faq/sujet-333-fix-a-rotated-screen-problem
1 2 3 Next

Résultats pour URL manipulation attacks

Spyware attackshiya, my computer has been attacked by spyware and i have this stupid message on my desktop tellin me "you're computer has been infected by spyware, click here to ..." . i'm aware not to click on it. and i do have a program on my computer... en.kioskea.net/forum/affich-7480-spyware-attacks
Bucket Brigade AttackHello, What is the Bucket Brigade Attack ? en.kioskea.net/forum/affich-3516-bucket-brigade-attack
The computer has been attacked virusHello, my computer is attack virus.That virus is "The computer has been attacked" en.kioskea.net/forum/affich-33651-the-computer-has-been-attacked-virus
1 2 3 Next

Résultats pour URL manipulation attacks

Download Super BlankYou surely could not already sometimes any more erase a re-inscriptible CD, after a wrong manipulation or an error of the system. Super Blank is a small very well conceived software which will succeed, without problem, in re-erasing these... en.kioskea.net/telecharger/telecharger-293-super-blank
Download Easy Video Downloader Easy Video Downloader is a complete program not only for the downloading of video on Internet, but also an encoder. In order to do that, you only have to choose URL of video, to glue together it on the interface of program and to begin... en.kioskea.net/telecharger/telecharger-437-easy-video-downloader
Download Moyea FLV DownloaderMoyea FLV Downloader is a program of downloading of files FLV from videos shared on Internet. This program allows to download, to manage and to play and to convert videos for iPod, iPhone, PSP, mobile phone, Windows Medium, Xvid and MP3.By using URL... en.kioskea.net/telecharger/telecharger-433-moyea-flv-downloader
1 2 3 Next

Résultats pour URL manipulation attacks

Marshall Islands email paralysed by 'zombie' attackEmail communication in the Marshall Islands was paralysed after hackers launched a "zombie" computer attack on the western Pacific nation's only Internet service provider, officials said. Email communication in the Marshall Islands was paralysed... en.kioskea.net/actualites/marshall-islands-email-paralysed-by-zombie-attack-10479-actualite.php3
NATO boosts cyber-attack response force: senior officialA man is looking at his computer screen. NATO has put in place special emergency response teams to deal with cyber terrorism following a serious attack on member state Estonia last year, a senior official said on Friday. NATO has put in place special... en.kioskea.net/actualites/nato-boosts-cyber-attack-response-force-senior-official-10266-actualite.php3
NATO launches cyber defence centre in EstoniaNATO launched Wednesday a new cyber-defence training centre in Tallinn to defend against attacks over the Internet, a year after Estonia fell victim to a "cyber-war" blamed on Russian hackers. "The need for a cyber-defence centre to be opened today... en.kioskea.net/actualites/nato-launches-cyber-defence-centre-in-estonia-10374-actualite.php3
1 2 3 Next

Résultats pour URL manipulation attacks

Attacks - Man in the middle "Replay" attacks are "Man in the middle" attacks that involve intercepting data packets and replaying them, that is, resending them as is (with no decryption) to the receiving server. As a result, depending on the context, the hacker can benefit from... en.kioskea.net/attaques/rejeu.php3
Attacks - Ping of death attack The ping of death attack is one of the oldest network attacks. The principle of ping of death simply involves creating an IP datagram whose total size exceeds the maximum authorized size (65,536 bytes). When such a packet is sent to a system with a... en.kioskea.net/attaques/attaque-ping-de-la-mort.php3
Attacks - Denial of service attacks A "denial-of-service attack" (abbreviated DoS) is a type of attack that aims to make an organization's services or resources unavailable for an indefinite amount of time. Most of the time, these attacks are aimed at a company's servers, so they may... en.kioskea.net/attaques/dos.php3
1 2 3 Next