I am not a core security guy to answer this question, but still I will try to express my opinion about it.

When you find something in the URL as xyz.do, it normally depicts the "action" part of the HTML form i.e. a program (server-side or client side), to which the form data is submitted.

Let's take a practical example. Following is the URL of Registration page of Cisco website:

http://tools.cisco.com/RPF/register/register.do

You can find the method .do extension above and it depicts the register method to which the form data will be submitted, when you click the Submit button at the end.

Just showing this method in the URL may not be a security issue (although I understand that it gives the information that there is a program with the name register on the server/client side). I am not sure if one can really hide it in the URL, but to achieve the purpose, you will have to disable the "ViewSource" option also via some scripting (like JavaScript), so that Right Click is not enabled on the page or that the source that one sees does not contain the actual HTML.

In simple terms if I see the source of the Cisco Reigtration page by right clicking and then clicking "View Source", somewhere in the code I get:



Now if you carefully see, the action attribute of the form tells you what exactly gets appended to http://tools.cisco.com base URL to get the final one as:

http://tools.cisco.com/RPF/register/register.do

So, the HTML source code also tells where the request will go once the Submit button is clicked.

I hope I answered your question or atleast gave something to think further about.