Tuesday, 29 March 2016

A Dissection of Uniform Resource Locator (URL)

Leave a Comment

The internet is accessed many times daily by even non techies, to get one or more information, upload or download files among other goals. The locations of these resources are accessed through the Uniform Resource Locators (URL). Most of the time, users of a website are not aware of the changes in URL in the address bar of their browsers as they surf it. They don’t know the exact address of a particular file or service they are using and even those that know have little or no knowledge of what it really entails. I am going to properly explain what a URL is by defining it, explaining the different parts and briefly discussing associated security problems.

A Uniform Resource Locator is a string that completely describes the location of a resource on the internet. The string may be text (registered domain name), number (IP address) or a combination of both. Typically a URL without a domain name looks like this:
Now if the website is registered with a domain name (say www.hardnocklife.com), the URL looks like this:
Domain names are mainly used to make the website easy to remember and more readable. The IP address is the address assigned to the machine or network hosting the resource. Domain names will be discussed in future posts.

Components of A URL
In this section I am going to explain the different parts of a URL. Using the sample URL in the previous section, the different parts of a URL is indicated in the figure below.

  1. Protocol: Specifies the protocol in use such as http, ftp, https and so on. Thought the first portion, it is technically not part of the URL
  2. Host: This portion identifies the machine hosting the resource. This machine is known as the web server. With this portion in place the port number can be overridden since the port number is implied by the protocol.
  3. Directory Path: This is the path to the folder on the hosting machine containing the file to be accessed.
  4. File Name: File name indicates the name of the file containing the functionalities or scripts that delivers the requested service or information. In some cases the file name may be mistakenly omitted. In this case the file designated as the starting page (usually index.html or default.com) is displayed. If no page is designated as default then a list of files in the current directory are displayed.
  5. Query: This portion is a collection of named parameters defined by the application running on the web server.

Security Problem Associated With URL
Security issues in the URL of websites have plagued the World Wide Web for decades. The URL parameter of a query string can be used to exploit security vulnerabilities, especially when server side scripting languages such as PHP (Hypertext Preprocessor) and ASP (Active Server Pages) are used. The method of exploitation depends on the scripting technology. Hackers launch such attacks as SQL (Structured Query Language) injection and XSS (Cross-site Scripting) attacks on websites known to have URL manipulation flaws. Though solutions exist to counter these security issues, many web programmers are inexperienced and not security conscious and as a result are not aware of existing risk. Another reason why security solutions are not implemented in most cases is that software security budget of many organizations is usually low and implementation policy may conflict with business use case.

I have successfully dissected Uniform Resource Locator (URL) and its components as well as overviewed security risks associated with it. I hope this post has been educative and I’ll like to thank you for reading.
If You Enjoyed This, Take 5 Seconds To Share It


Post a Comment

Add a comment here