Change the URL

Changing parts of your website URL can be a good way to find sneaky security bugs. By changing certain parts of the URL you may gain access to data you shouldn't see.

How to change the URL

To start with head to a page of your website or web app and copy the URL out to notepad (or equivalent).
Now study the URL and see how it is composed.

For most standard websites there will be little to observe but for more secure websites you can often find plenty to play around with.

Example 1 - The Price

For example let's say there is a URL like this:
www.thisisanexample.com/internetcosts/rate=12.33

In this URL (and this is based on a real one) the price of the internet is included in the URL. When the user submitted their room number the price of the internet (per hour) is submitted also.
  • So what happens if you change the price?
  • What happens if you put a zero?
  • What happens if you remove the price?

Example 2 - The Username or ID

For example let's say there is a URL like this:
www.thisisanexample.com/banking/3525251

In this example the last series of digits is some sort of username or account ID. There was a very high profile bug like this in a live banking system a few years back which shows how easy it is to make this mistake when creating websites.

In this example you could log in to be "authenticated" against the server. Once you are logged in try changing the ID number.

In the real world example changing the number would allow a user access to another users account. Simply changing the ID number let you access another users details. Does the same bug exist in your own website?

Example 3 - Bypass Authentication

Try logging in to your website and navigating around a few pages. As you do so copy out the URL and keep them all in a safe place like notepad, or Evernote.

Now log out.

Now grab each of the URLs you put aside and copy and paste them back in to the browser now that you are logged out.

  • Can you gain access to pages you shouldn't?
  • What message do you see?
  • Does this work as you expect it to?
  • Are you asked to re-authenticate?
  • Can you see another account?

Useful Hint

Using a web page recording tool like Selenium will give you each of the visited URLs in the script that it creates.

It’s a good way of picking out the URLs of interest.

Useful Links
Selenium


If you’re interested in a career in Software Testing then check out my book Remaining Relevant And Employable (Tester’s Edition) - it’s packed full of ideas about writing good CVs, communicating your value to employers and doing well in an interview.