Computer scienceCybersecurityBasics

Uniform Resource Identifier

Provided by: JetBrains Academy
8 minutes read

In this topic we are going to understand why it is crucial to prevent various cyber threats and attacks that can compromise data integrity, confidentiality, and system availability securing the URI.

What is a URI?

Uniform Resource Identifier or URI also known as aboslute URL is a string of characters that is used to uniquely identify a resource on the internet. It provides a means of addressing and accessing resources, which could be anything from web pages, files, images, to other digital content. URIs are commonly known as URLs (Uniform Resource Locators) when they are used to specify the address of a resource on the web.

It worth to mention that except well known http:// and https:// there are many other:

  • chrome://

  • example:

  • facetime://

  • file://

  • ftp://

  • etc.

You can lookthrough of them here List of URI schemes

URI Encoding and Decoding

URI(L) encoding is a method used to make sure that a URL only contains valid characters according to the RFC 3986 standard, which includes digits, letters, and certain symbols within the ASCII character set. If a URL has characters outside this set, they are converted into a special format using percent-encoding, making them easily interpretable by servers. This encoding process also applies to certain delimiters like &, /, ?, or # when used in unexpected ways in URLs.

URL decoding, on the other hand, reverses the percent-encoding process, restoring nonstandard characters to their original form.

It's important to note that URL encoding is not the same as encryption. Encryption is about securing information with a secret key, while URL encoding aims to ensure a URL is interpretable by a server and prevent user manipulation.

Different programming languages offer APIs for both encoding and decoding URLs.

  • Python: urllib.parse.quote() and urllib.parse.unquote()

  • JavaScript: encodeURIComponent() and decodeURIComponent()

  • Java: java.net.URLEncoder and java.net.URLDecoder

  • Go: url.QueryEscape() and url.QueryUnescape()

  • C++: does not have a built-in encoding/decoding tools, however you might use third-party cpp-httplib

  • Rust: url::percent_encoding

Ok, but so what? Modifying URLs can pose a security risk, potentially leading users away from a trusted webpage to a harmful one. This can introduce various security vulnerabilities, notably cross-site scripting (XSS), a threat found in certain web applications. XSS vulnerabilities empower attackers to insert malicious client-side scripts into web pages that other users access.

In other words regarding vulnerabilities, the main point is that payloads can be passed through the url and vulnerabilities can be exploited, so everything in the URL is untrusted data, the thing we can do with is to validate data in the url.

Common URI-Based Attacks via URI Parameters

URI-based attacks are a category of web application attacks. These attacks manipulate or abuse the structure and parameters of URIs to compromise the security of a web application. Here are some common URI-based attacks:

SQL Injection — Attackers manipulate URI parameters to inject malicious SQL code into the application's database queries.

  • Example: https://example.com/products?category=electronics' OR 1=1 --

  • Impact: Can lead to unauthorized access, data leakage, or even data manipulation.

SQL Injection example

Possible SQL Injection kill chain

Cross-Site Scripting (XSS) — Attackers inject malicious scripts into URIs, which are then executed in the victim's browser when they visit the manipulated URL.

  • Example: https://example.com/search?query=<script>alert("XSS");</script>

  • Impact: Allows attackers to steal user data, perform actions on behalf of users, or deface web pages.

XSS

Possible XSS kill chain

Path Traversal — Attackers exploit inadequate URI validation to navigate outside the intended directory or file structure.

  • Example: https://example.com/download?file=../../../etc/passwd

  • Impact: Can lead to unauthorized access to sensitive files or directories.

Path Traversal example

Possible Path Traversal kill chain

Open Redirects — Attackers create URLs that redirect users to malicious websites, often used in phishing attacks.

  • Example: https://example.com/redirect?url=http://malicious.com

  • Impact: Trick users into visiting malicious websites, potentially leading to data theft or malware infection.

Parameter Pollution — Attackers manipulate URI parameters to confuse the application's processing logic.

  • Example: https://example.com/search?query=apple&query=banana

  • Impact: Can lead to unintended behavior, vulnerabilities, or errors in the application.

Parameter Pollution example

Parameter Pollution kill chain

HTTP Verb Tampering — Attackers manipulate the HTTP request method (GET, POST, PUT, DELETE, etc.) in URIs to perform unauthorized actions.

Information Disclosure — Attackers manipulate URIs to reveal sensitive information such as internal server details or debugging information.

Denial of Service (DoS) — Attackers craft URIs to consume excessive server resources, making the application unavailable to legitimate users.

Cookie Manipulation — Attackers manipulate URIs to inject or modify cookies, potentially gaining unauthorized access or impersonating users.

It's crucial for web developers and security professionals to be aware of these URI-based attacks and implement appropriate security measures, such as input validation, output encoding, and access controls, to mitigate these vulnerabilities and protect web applications from exploitation.

Secure URI Design and Implementation

Secure URI design and implementation is essential for building web applications that are resilient against various security threats. Here are some best practices to ensure secure URI design and implementation:

  1. Input Validation:

    • Validate All User Inputs: Ensure that all data received via URIs is validated for both type and content. Reject any input that doesn't conform to expected patterns or formats.

    • Sanitize Inputs: Sanitize input data to remove or escape potentially malicious characters to prevent injection attacks like SQL injection or Cross-Site Scripting (XSS).

  2. Parameterized Queries — When interacting with databases through URIs, use parameterized queries or prepared statements to prevent SQL injection attacks. Never concatenate user inputs directly into SQL queries.

  3. Output Encoding — Encode user-generated content before including it in URIs to prevent XSS attacks. Use functions like url.QueryEscape or html.EscapeString as appropriate.

  4. HTTPS Usage — Always use the HTTPS scheme (https://) in URIs to ensure encrypted communication between clients and servers, preventing data interception.

  5. Session Management — Avoid including sensitive session data in URIs. Instead, use secure cookies or session tokens for managing user sessions.

  6. URL Whitelisting — Implement URL whitelisting to only allow access to specific, trusted URIs. Reject any requests to unauthorized or unknown URIs.

  7. Blacklisting — Maintain a blacklist of known malicious URIs or URI patterns and deny access to them.

  8. Proper Access Controls — Ensure that URI-based access controls are enforced. Don't solely rely on URI obscurity for security. Use role-based access control (RBAC) or other authorization mechanisms.

  9. Path Traversal Prevention — Implement proper URI path validation and path traversal protection to restrict access to unauthorized directories and files.

  10. Rate Limiting — Implement rate limiting for URIs that involve sensitive operations or user authentication to prevent abuse and brute force attacks.

By following these best practices for secure URI design and implementation, you can significantly reduce the risk of common web-based attacks and enhance the overall security of your web applications. It's not near a half of tools and patterns that can be used (Error Handling, Security Headers, Logging and Monitoring, Penetration Testing, Security Updates, Third-Party Components and etc.), but to be not overwhelmed with terms we ommit descriptive explanation for now. Security should be an integral part of the entire software development lifecycle, from design to deployment and maintenance.

URI Whitelisting and Blacklisting

URI whitelisting is an access control mechanism where you explicitly specify a list of allowed or permitted URIs that users or clients are allowed to access. Any request to a URI that is not on the whitelist is denied or restricted. This approach is often more secure because it explicitly defines what is allowed, reducing the attack surface.

Suppose you have a web application with the following URIs:

  • /home

  • /profile

  • /dashboard

  • /logout

You could create a URI whitelist that includes only these URIs. Any attempt to access a URI not on the whitelist would result in access denial.

The wins here are in follow:

  • Enhanced security: Only explicitly permitted URIs are accessible, reducing the risk of unauthorized access.

  • Precise control: Granular control over which URIs can be accessed and by whom.

  • Protection against zero-day vulnerabilities: Even if new malicious URIs are discovered, they won't be accessible unless explicitly whitelisted.

URI blacklisting, on the other hand, is an access control mechanism where you explicitly specify a list of disallowed or forbidden URIs that users or clients are not allowed to access. Any request to a URI on the blacklist is denied or restricted. While blacklisting can be useful for blocking known malicious URIs, it has limitations because it relies on maintaining an up-to-date list of prohibited URIs.

You maintain a blacklist of URIs that are known to be used for phishing attacks or other malicious purposes. Any access attempt to URIs on this blacklist is denied. And the pros for using Blacklist over Whitelist are:

  • Protection against known threats: Blocks known malicious URIs.

  • Quick response to known vulnerabilities: Allows for rapid blocking of known attack vectors.

Conclusion

In this topic we understand what URI is! Secure URI parameter handling and validation are crucial components of web application security. By rigorously validating input data, properly encoding and decoding parameters, and following best practices to prevent common vulnerabilities, you can significantly reduce the risk of security breaches and attacks on your web application. Regular security audits and testing are also essential to identify and address any potential weaknesses in your URI parameter handling and validation processes.

3 learners liked this piece of theory. 0 didn't like it. What about you?
Report a typo