URL manipulation is one of the easiest attacks to perform. It can be performed by users who are innocently curious or by hackers who are probing for vulnerabilities.
URLs are not just addresses for browsers and servers to use as users go from page to page using links. They are requests from the browser to the server which act as a low-level form of programming. When the browser requests X from the server, the server responds with Y. There is nothing to keep users from entering other "commands" into the browser bar to see what the server will give them back.
URLs are easily edited and often follow a pattern. This makes them inviting targets for manipulation.
Manipulation can include:
Never consider a URL to be private
Every URL should enforce proper limits
Consider edge cases and expect unexpected
Every URL should have robust error handling
Configure web server to gracefully handle errors and unfound URLs