Access Control and Security Through Obscurity                               Chapter 8































            Now, diving into that class, we can see the markup does in fact contain the CEO and other's
            info. We now have the CEO's salary (a cool $450,000) and are just a little bit more
            accomplished in corporate espionage then we were a few moments ago.



            Gathering Report Information

            Now that we've brought our company to its knees, let's walk through the info we need to
            write our report:
                      Category: This is a data leak of sensitive information. In this case, the CEO's
                      salary and SSN.
                      Timestamps: For our timestamp, we can just approximate a time manually.
                      URL: For our URL, we can use the page where we discovered the info in the
                      source code:

                         http://localhost:8081/WebGoat/start.mvc#lesson/ClientSideFiltering.
                         lesson/1

                      Methodology: Skipping payload, we can just head to the methodology. In this
                      case, we simply came across the information after a close inspection of the page's
                      source code.



                                                    [ 141 ]