URL Basics

UNDERSTANDING URLS AND PARAMETERS

Web applications are organized in a series of files, pages, and folders that can be accessed with the right input or path. Usually, this system is set up in an organized directory using folders or containers to store the contents of the site.

A URL is an address that tells allows your browser to send a request to the web server, specifying the path or location to access the desired page or file.

Sometimes web apps are written in a way so that parameters are needed to request access to content in the system. Query parameter strings, for example, can be added to a URL to retrieve data or perform certain actions based on the input in this query. Here is an example of a URL that includes parameters to request blue widgets, sorted so that the newest blue widgets will appear first.

If you've ever performed a Google search and looked at the URL of the results page, you would have seen this: https://www.google.com/search-input?q=search& followed by a whole mess of numbers, symbols, and letters.

While seemingly indecipherable, each value following the separator after your search query delineates specific parameters such as region, language, the number of results to show, etc. It's a specific set of instructions that produces the individualized set of results you are seeing. Modifying these parameters on google is possible by using the GUI tools on the page itself (sort by, images, news, etc.) or by adding parameters in the search bar as text.

Similar to IDOR vulnerabilities, when parameters that a user can input to retrieve data are not validated or sanitized through improper programming, a user can exploit file inclusion vulnerabilities to gain access to sensitive data, and in some cases, even gain remote access to a network resource.