Let's try out some of our new techniques on WebGoat, OWASP's deliberately-vulnerable Java application. After navigating to localhost:8081/WebGoat, go ahead and click on the link to register a new user and then log in.
After you've logged in, you should be on the main WebGoat welcome page:
Now we're going to click through to the Client side lesson:
Landing on the page, we can immediately see a couple of hidden fields of interest. We also get the gist of the lesson—we're a disgruntled employee that wants to get the personal info of our CEO, even though we (naturally) don't have access to it—and what it is that we're trying to subvert: a small, employee directory application.
Looking at the hidden fields, they seem to be associated with an employee ID that's connected to an employee...
