Listen to this Post
Understanding the differences between URL, URI, and URN is crucial for web developers, API designers, and cybersecurity professionals. These concepts form the backbone of resource identification and location on the web, and mastering them can prevent security vulnerabilities.
Quick Definitions
- URL (Uniform Resource Locator) โ Tells WHERE a resource is located (e.g., `https://example.com/page`)
- URN (Uniform Resource Name) โ Tells WHAT a resource is (e.g.,
urn:isbn:0451450523) - URI (Uniform Resource Identifier) โ The umbrella term covering both URLs and URNs
All URLs are URIs. All URNs are URIs. But not all URIs are URLs.
You Should Know: Practical Applications & Security Implications
1. URL Manipulation & Security Risks
URLs are often exploited in:
- Phishing attacks (e.g., `https://real-site.com.evil-site.com`)
- XSS (Cross-Site Scripting) via malformed query parameters
- Open Redirects (e.g., `https://trusted-site.com/redirect?url=evil.com`)
Linux Command to Check Suspicious URLs
curl -sI "https://example.com" | grep -i "location|host"
This helps detect hidden redirects in URLs.
Python Code to Validate URLs
from urllib.parse import urlparse
def is_valid_url(url):
try:
result = urlparse(url)
return all([result.scheme, result.netloc])
except:
return False
print(is_valid_url("https://google.com")) True
print(is_valid_url("javascript:alert(1)")) False
2. URI Structure & API Security
URIs are used in REST APIs, and weak validation can expose endpoints to:
– SQL Injection (/api/users?id=1 OR 1=1--)
– Path Traversal (/api/../../etc/passwd)
Linux Command to Audit URI Paths
grep -r "request.uri" /var/log/nginx/access.log | awk '{print $7}' | sort | uniq -c
This checks frequently accessed URIs in Nginx logs.
Node.js Code to Sanitize URIs
const sanitizeUri = (uri) => {
return uri.replace(/[^a-zA-Z0-9\/-_]/g, '');
};
console.log(sanitizeUri("/api/users?id=<script>")); // /api/users?idscript
3. URNs for Secure Identifiers
URNs provide persistent, unique names for resources, useful in:
– Digital Certificates (urn:uuid:550e8400-e29b-41d4-a716-446655440000)
– Blockchain & Decentralized IDs (urn:btc:1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa)
Linux Command to Generate UUID (URN-Compatible)
uuidgen Output: 550e8400-e29b-41d4-a716-446655440000
Python Code to Parse URNs
import re
def is_valid_urn(urn):
pattern = r'^urn:[a-z0-9][a-z0-9-]{0,31}:[a-z0-9()+,-.:=@;$_!\'%/?]+$'
return bool(re.match(pattern, urn))
print(is_valid_urn("urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6")) True
What Undercode Say
Understanding URL vs. URI vs. URN is not just academicโitโs a security necessity. Attackers exploit weak URI parsing, URL obfuscation, and URN spoofing to bypass defenses.
๐น For Developers: Always validate and sanitize URIs in APIs.
๐น For Security Teams: Monitor URL patterns in logs for anomalies.
๐น For Sysadmins: Use tools like curl, grep, and `awk` to audit web traffic.
Expected Output:
- Secure URL handling โ Prevents phishing & XSS.
- Strict URI validation โ Blocks injection attacks.
- Proper URN usage โ Ensures unique, tamper-proof IDs.
Master these concepts, and youโll build more resilient systems. ๐
References:
Reported By: Marcelvelica %F0%9D%97%A6%F0%9D%98%81%F0%9D%97%B6%F0%9D%97%B9%F0%9D%97%B9 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass โ
