Access Control and Security Through Obscurity                               Chapter 8

            Looking at the hidden fields, they seem to be associated with an employee ID that's
            connected to an employee info record. If we use our EFW tools to inspect the markup, we
            can see the TFMFDU tag where the employee we want info on is chosen, and the associated
            IDs:
































            Now if we can dive into that PODIBOHF callbackbwait, what's that there in the bottom
            right of our pane?










            This is obviously an extreme examplebnaming a class with a super-incriminating
            stringbbut exposing sensitive client-side data simply because the mechanisms used to
            keep it hidden rely on the GUI or no one tampering with it is unfortunately a real-life issue:








                                                    [ 140 ]