In a semantic URL attack , a customer manually Adjusts the parameters of ict request by Maintaining the URL ‘s syntax goal icts altering semantic meaning. This attack is primarily used against CGI driven websites.

A similar attack involving web browser cookies is commonly referred to as a poisoning cookie .


Consider a web-based e-mail application where users can reset their password by answering the security question correctly, and allow the users to send the password to the e-mail address of their choosing. After they answer the question correctly, the web page will arrive at the following web site where the users can enter their alternative e-mail address:

< form action = "resetpassword.php" method = "GET" >
 < input type = "hidden" name = "username" value = "user001" />
 < p > Please enter your alternative e-mail address: </ p >
 < input Type = "text" name = "altemail" /> < br />
 < input -type = "submit" value = "Submit" />
</form >

The receiving page, resetpassword.php, has all the information it needs to send the password to the new email. The hidden variable username contains the value user001, which is the username of the e-mail account.

Because this web form is using the GET data method, when the user submits to the email address where the user wants the password, then use the following URL:

This URL appears in the rental bar of the browser, so the user can identify the username and the e-mail address through the URL parameters. The user may decide to visit other people’s (user002) e-mail address

If the resetpassword.php accepts these values, it is vulnerable to a semantic URL attack. The new password of the user002 e-mail address will be generated and sent to which causes user002’s e-mail account to be stolen.

One method of Avoiding semantic URL attacks is by using session variables. [1] However, variable session may be vulnerable to other types of attacks such as hijacking and cross-site scripting .


  1. Jump up^ Chris Shiflett. Essential PHP Security: Chapter 2, Forms and URLs