Access Control and Security Through Obscurity                               Chapter 8

                         Please clone or download the repository to your local system (IUUQT
                         HJUIVC DPN 8FC(PBU 8FC(PBU).




            There are several ways you can set up WebGoat. You can download and run it as a KBS
            executable (as we've been doing with Burp Suite), you can download a Docker image, or
            you can build it directly from source. Although using KWN to manage Java dependencies
            works for Burp, I prefer to use Docker when it's available, since there's so much great
            tooling around it.

            There is one concern: if you're running the Burp Suite proxy and using the default proxy
            ports (MPDBMIPTU     ), you'll need to make sure you start the WebGoat server on a
            different port so as not to cross traffic with Burp. These are the commands the GitHub page
            references to pull and start the server:
                docker pull webgoat/webgoat-8.0
                docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh

            In our case, since we want it to run on MPDBMIPTU      instead of MPDBMIPTU     , we'll
            simply change the second command to map our Docker process to the correct port:
                docker run -p 8081:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh

            Now we can use Burp and WebGoat together without any port clashes.



            Security by Obscurity ` The Siren Song

            The appealband trapbof security by obscurity is the ease with which strategies can be
            implemented, especially when compared to more rigorous credential management systems.
            Obscuring a piece of sensitive information just means scrambling it, rearranging and
            reordering it, until it looks like gibberish. Looks like is the operative phrase, since patterns
            can be detected outside the scope of human intuition or estimation.

            The assumptions behind this sort of strategy invariably contain an element of human
            fallibilitybsomeone couldn't find X, or trip across Y, because the odds are so stupendously
            against them, considering the scope of the application, the minimal nature of the
            vulnerability, and the implicitly assumed man-hours of brute-forcing a solution to the
            problem. But, of course, computers aren't constrained by such limitations, and the actual
            audience for the site is larger than assumed. And when a large set of users, augmented by
            crawlers, fuzzers, and all other sorts of web agents, train their tools on a target, they can
            uncover flaws and make that site (and others) safer.

                                                    [ 130 ]