288 Part II: Developing an Ajax Library^
<input type="password" name="userpass" size="10" maxlength="10" /><br />
<input type="text" name="pin" size="4" maxlength="4" /><br />
<input type="submit" value="Login" />
</form>The intruder sees this form and first notes the maxlength attributes. They likely wonder
what happens if those values are exceeded. It is easy enough for them to remove the constraint
with a proxy filter or to use a network debugging tool like Fiddler (www.fiddlertool.com) or
Tamperdata (http://tamperdata.mozdev.org/). The field called <pin> seems to suggest a
numeric value—what would happen if it sent non-numeric data? The intruder might further
wonder what the hidden form field value does. It looks encoded and interesting to them and
is open for manipulation. Given the method is set to POST for the application found atFIGURE 7-2 Why inform your adversaries? Reveal little or trick them.