Print

Unrestricted URL Access

Introduction

  • Some applications might only protect sensitive functionality by preventing the display of links or URLs to unauthorized users. Some even allow the display of links or URLs to unauthorized users. Such unrestriced links or URLS can be directly accessed to perform unauthorized operations by attackers.
  • The "/admin" and "/download" are the common and predictable paths. Demo

OWASP Risk Profile

OWASP10-Unrestricted-Access

Defensive Measures

  • ASP.net: use "membership role"
  • Application level: apply session variable validation