Dr. Drew Hwang, CIS, Cal Poly Pomona
Home
101
WDD
ECOMM
SWA
SP
Secure Web Development
Home
Basics
Offense
Defense
SDLC
Code
Access
Parameter
Perimeter
Browser
Industry
Resource
Access
Authentication
Authorization
Unrestricted URL Access
Print
Unrestricted URL Access
Introduction
Some applications might only protect sensitive functionality by preventing the display of links or URLs to unauthorized users. Some even allow the display of links or URLs to unauthorized users. Such unrestriced links or URLS can be directly accessed to perform unauthorized operations by attackers.
The "/admin" and "/download" are the common and predictable paths.
Demo
OWASP Risk Profile
Defensive Measures
ASP.net: use "membership role"
Application level: apply session variable validation