Questions tagged [url]
223 questions
21
votes
3 answers
Can ISPs selectively block a page URL on a HTTPS website leaving its other page URLs alone?
I want certain web pages blocked (within my country) by my Govt on a website that uses HTTPS on all pages. My Govt agrees that the specific URLs need to be blocked but expresses helplessness as their ISPs claim they can't selectively block HTTPS…
Desmond
- 327
- 2
- 3
20
votes
4 answers
Is URL visible by ISP before HTTP request is 301 redirected to HTTPS?
Let's say I enter http://domain.com/... as a URL. The domain.com server performs a 301 redirect of all HTTP requests to the HTTPS version, so it shows me https://domain.com/....
Can my ISP see the whole URL (not just domain name) that I entered…
Mike Fawles
- 201
- 2
- 4
16
votes
3 answers
How to defend against homograph attacks?
Referring to this Wikipedia example of an homograph attack, the URL of Wikipedia had the Latin characters A and E replaced with a similar Cyrillic copy (wikipediа.org). These characters look so similar, how can they be differentiated?
toffee.beanns
- 291
- 2
- 6
14
votes
4 answers
Is it possible to sniff HTTPS URLs?
From many posts, I know that almost everything in HTTPS or SSL connections is encrypted. Still, I am wondering, if it is possible to get the URLs out of such a connection if the computer that opens the connections is on a home network and access to…
jdoe
- 151
- 1
- 2
- 5
14
votes
1 answer
Is a plain password in the URL a potential security threat?
I'm in no way a security expert, in fact I'm just your average Joe with a question.
I was on my car insurance website, I registered and as I logged in I saw my password, not encrypted, in plain sight in the address bar.
Now this (to me) is already…
zakkos
- 143
- 1
- 6
11
votes
2 answers
How to handle media files from untrusted sources?
I've been a heavy user of ffmpeg-based players and encoders for years, and though I've heard about numerous security issues, I always assumed that staying up-to-date was safe enough. However, I just saw an article (in Russian) which explains how…
Dmitry Grigoryev
- 10,072
- 1
- 26
- 56
9
votes
1 answer
Why is there "t=[your device]" in duckduckgo query URL?
I was just searching something on my raspberrypi via duckduckgo and realized that there is q=[my query]&t=raspberrypi&[rest of the URL] in the URL bar.
When i did the same query on my PC, there was ...t=h_....
Their motto is "We don't track you" so…
ShinobiUltra
- 782
- 7
- 16
9
votes
1 answer
How can Google search change the location in a URL tooltip?
When hovering over a website link in Google search the tooltip says the link of the website (stackoverflow.com). But when I click it it goes to some Google page and then StackOverflow. But now if I go back to the Google search tab the tooltip has…
Suici Doga
- 477
- 3
- 12
8
votes
1 answer
What is the name for this type of URL attack?
Say a PHP page accepts URL path as a POST parameter (like the answer to this question):
$path = $_POST['url_path'];
file_get_contents('http://example.com' . $path);
A maliicious user POSTs url_path as @evil.com/stuff.html.
As the code takes the…
SilverlightFox
- 33,408
- 6
- 67
- 178
8
votes
1 answer
SQL injection: how to find urls to attack to
The last days I've been reading about SQL injection and most of the url examples I see are like the…
tgogos
- 193
- 1
- 1
- 8
8
votes
1 answer
Why am I getting url requests for pages I never had on my site?
On my Drupal site I'm getting strange requests for url paths that I have never had and have nothing to do with my site. Could some one explain why people (or bots) are looking for the following…
Patrick W. McMahon
- 187
- 5
7
votes
1 answer
Is it safe to allow CSS filter: url(data:
We have a web service where logged in users can create web page content and write custom CSS for their pages. All the HTML goes through a whitelist parser and doesn't allow any executable content. All the CSS is put through a whitelist parser that…
Mikko Rantalainen
- 513
- 2
- 11
7
votes
3 answers
How to convince team mate about using an allowlist for a link created from a parameter?
Context
In our development team, we have to build a component. This component is a full client side one written in Javascript.
A client web application wishing to embed this component will call it like below:
6
votes
1 answer
How does this possibly malicious phishing email link work?
I got a phishing email from a supposed realtor that wanted me to click on the following link
http://wonderit.net/f%23$%25%5e%29%28*%5e%25$%25%5eamg*&%5e%25$%23$%25%5e/
which I decoded as:
http://wonderit.net/f#$%^)(*^%$%^amg*&^%$#$%^/
I was…
John Alexiou
- 163
- 4
6
votes
1 answer
Are these encrypted URL values safe or could they be guessed?
One of our suppliers had a weakness on the secure section of his webpage. By changing ID's in the URL, we could see data that did not belong to us.
For example:
https://supplier.org/showItem.do?contract.id=102210199&car.id=102334247
Showed a…
Konerak
- 3,898
- 2
- 16
- 16