URL manipulation and Insecure Direct Object Reference (IDOR)

- A URL manipulation attack is when someone edits the URL text in the browser's location bar, in order to probe a website. URLs are easily changed, and they often follow a pattern which makes them inviting targets. Manipulation may be performed by innocent users who are just curious, or by hackers who're probing for vulnerabilities. Editing a URL can reveal private information or allow users to perform actions which should be restricted. Manipulating a URL may reveal a private webpage. The public website may not have a link to that page, or the page may be only accessible under certain conditions. For example, adding "preview=true" to a URL might show an unpublished version of the page. URLs may correspond to a set of files and directories. Changing the URL can help to map that structure. Values in a database can also be mapped. If a page displays a person's contact information, when the URL contains an ID of 27, then an…