174 Security De-engineering
testing, I recall a case with an online gambling rm in Hong Kong.
From Google searches and “whois” Internet domain registration infor-
mation, the client owned at least two class C (up to 253 individual
host IP addresses) address ranges but limited the testing to 10 “live” IP
addresses. e 10 targets given were purely Webservers for which the
client’s rewall exposed only ports 80 and 443, and the TSAP Hackers
did nd some X-site scripting, server-side parameter validation prob-
lems, plus a glaring Structured Query Language (SQL) injection issue.
Additionally though, in the initial port scan, it was clear that there
were other live IP addresses (outside of the testing range) with “visible”
listening services. ...