Unrestricted URL Access
Restricting URL access helps prevent visitors who are not logged in from accessing administrative or other restricted pages in a website. If visitors attempt to view restricted pages, they should be prompted to log in.
If pages in a restricted area are not configured to only allow authorized users to view them, a malicious user might guess the URLs for pages and bypass the log in, directly accessing the restricted area.
For example: Joe's photo gallery site lets logged-in users use an Upload button to add photos. The button displays only for logged-in users, but the button's action does not specifically check a user's access to upload photos.
If URL access is not restricted to only designated people, a malicious user might access the upload URL and submit malicious files.
You can prevent unrestricted URL access by configuring your site to deny all visitors access, and you can set specific users permissions. All pages in an access-controlled area should validate that a visitor is logged in with the appropriate access level to view them. Many popular applications have these features built in.
To learn more about unrestricted URL access and other common vulnerabilities, see the Open Web Application Security Project's Top 10 Most Critical Web Application Security Risks.
