URL-Hacking: Do-it-yourself Navigation

Sometimes lawyers contact me about a case featuring URL hacking (or, as one such lawyer called it, “URL typing”). I haven’t yet been interested enough in a case to offer to do any writing or testifying for free. But I’ll summarize my position here.

  • If a company built a private warehouse, not intended to be accessed by the public, and I broke through the door and saw a secret, I would be in the wrong; the problem here is breaking and entering.
  • If a company built a gallery that was open to the public, and put its secrets out on the walls along with the material visitors are supposed to see, and I walked in when the gallery was open for business happened to see a secret, I have done no wrong; the problem is the company’s non-existent security.
  • If a company built an archive, where all visitors were expected to write down a catalog number and wait in the library while the clerk fetches it, and I ask the clerk to bring me “documents/2008/annual,” the clerk will probably first go to the shelf and see if such a document exists.
    • If it does exist, the clerk will check to see whether the document has a “Top Secret” tag on it, or an “Embargo until Dec 2007” sign, or a note that says “Only Bill, Sally, and Freddy are permitted to read this document.”
    • If the owner of the item has placed it in the archive without any restrictions whatsoever, the clerk would be expected to treat this request just like any other.
  • The problem is once again the company’s non-existent security.

In the archive example above, if I bombarded the clerk with hundreds of random requests, hoping to come up with something unexpected, that’s a very different matter from actually typing the URL out of a desire to get to a page that deductive reasoning suggests ought to exist.

Since some web pages are dynamically generated from URLs that include complex parameters, there is not a clear line between what counts as simply typing the URL and manipulating complex parameters in a deliberate attempt to alter the way the site’s designers expected the site to behave.

Of course, manipulating a system may be against the terms of an end-user license, student handbook, employment contract.

Just because a company’s website permits a hack does not automatically excuse all the actions carried out by the hacker. Most hackers are simply curious, seeking a faster, more powerful way to do something that seems slowed down by an unnecessarily tedious newbie-friendly process. URL hacking won’t help a user bypass a simple .htaccess password, and it won’t let user see sensitive material unless the webmaster has already placed that material on the website. —URL-Hacking: Do-it-yourself Navigation (Jerz’s Literacy Weblog)

I just added this section to an old handout.

View Comments

  • "but "URL hacking" only works on static web pages"

    No, actually it works very well on dynamic sites. Take this site for example - if you click on a permalink, then look at the url, you'll see it says something like "/weblog/permalink.jsp?id=4716". Replace 4716 with another number, and it brings up that entry instead.

    In fact, there's a common security flaw with dynamic sites called "sql injection" where parameters aren't properly validated, and a user will replace the parameter with certain text that causes a completely different query to be run when the page is submitted.

    I know what you mean about your CMS system not allowing hacking of the url, but I don't think it's going to become a "fossil".

  • You're right, this sort of thing will only work under certain conditions. And I wrote the first draft in 2000, at a time when a lot of inexperienced people were putting up web pages for the first time, without any clear idea of what they were doing, and without a sense of the conventions they should follow. Fortunately, it's increasingly rare to see over-designed sites that show expensive design but very poor usability.

    I have since then shifted my teaching strategy on the assumption that most of my students will be hired to work on existing web sites, rather than asked to design a site for an organization that has never had one before.

  • I've always hesitated in mentioning this (perhaps it's a little too late), but "URL hacking" only works on static web pages (that is, pages that were coded by hand and put into directories).

    Most current CMS's use a database-driven API that collects that data called on by the user, and puts that data into a centralized location. Often times, only one file is displaying the data and the system can use rewrite rules (such as Apache's mod rewrite) to make SEO URL's.

    Even in home-grown CMS's, such as the Seton Hill Homepage, there is no definitive way to navigate through the server's directories. There are so many servers that prevent access to directories without an index page.

    It may not be completely obsolete yet, but as the number of people using blogs or other content-managing alternatives increases and personal webpages decrease, it may be that the page on "URL hacking" could be a fossil. It's crazy how rapidly computer technologies develop.

    I continue to believe that positivism is a folly. Apart, from medicine, what are the "great benefits for civilization" that "hard sciences" have to offer? There will always be a need for philosophy and psychology as long as there are people on this earth, but with the way computer science is progressing, that may not be very long...

Share
Published by
Dennis G. Jerz

Recent Posts