The present invention generally relates to securing webpages, and more particularly, to preventing unauthorized users from accessing webpages via Uniform Resource Locator (URL) guessing/network sniffing.
Webpages and web applications may be at risk when underlying pages are accessible by unauthorized users. For example, a web application may provide access to confidential webpages or content intended to be accessible only by authorized users via privileged credentials (e.g., user ID and password of an authorized user). In some situations, these confidential webpages can be accessed using non-privileged credentials or via a session associated with non-privileged credentials. For example, URLs for webpages having confidential content may be guessed, sniffed over a network, obtained via screen shots, or obtained via other documentation.
As an example, a user may use their private credentials to access a root page that contains a URL to another webpage containing private employee information. URL guessing may reveal that changing a single parameter in the URL with a known identifier (e.g., an employee serial number), would direct the user to private information about other employees. This type of exposure could result in a data privacy violation.
In another example, a user of a popular fantasy sports web site may discover that by supplying a direct URL of the third page in a three page team transaction sequence, with substitution of a known ID in the URL, the user could see the hidden team of any other user they desired prior to match day when teams are locked and revealed. This exposure could lead to an unfair advantage for users with this knowledge, loss of reputation for the site operator, and potentially loss of revenue for the site operator. The consequences are far more severe when this type of exposure is present in banking, investment, e-commerce, health, and other highly sensitive sites. Current web vulnerability scan applications lack a mechanism to detect such exposure. Therefore, a solution is needed to detect webpage or web application exposure and alert webpage operators.