SlideShare a Scribd company logo

PAROS proxy tool

Joseph ...
Joseph ...

PAROS proxy tool - A tool check your web application security

Technology
1 of 18
PAROS proxy tool Table of Contents PAROS Features: ............................................................................................................ 2 I n stal l i n g PAROS............................................................................................................ 2 C o n f i g uri n g Paro s Pro x y ................................................................................................. 5 U si n g PAROS ................................................................................................................. 8 Sp i d er w i th Paro s Pro x y ................................................................................................ 1 2 Sc an n i n g w i th Paro s Pro x y ........................................................................................... 1 4 Sc an n i n g Po l i c y ............................................................................................................ 1 6 C o n c l usi o n .................................................................................................................... 1 8 ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹ 
PAROS proxy tool P A R O S is a p r o g r a m fo r p e o p le w h o n e e d t o e v a lu a t e t h e s e c u r it y o f t h e ir w e b a p p lic a t io n s . I t is fr e e o f c h a r g e a n d c o m p le t e ly w r it t e n in J a v a . T h r o u g h P a r o s 's p r o x y n a tu r e , a ll H T T P a n d H T T P S d a ta b e t w e e n s e r v e r a n d c lie n t , in c lu d in g c o o k ie s a n d fo r m f ie ld s , c a n b e in t e r c e p t e d a n d m o d if ie d . D o w n lo a d P A R O S : h t t p : / / w w w . p a r o s p r o x y . o r g / d o w n lo a d . s h t m l PAROS Features: P a r o s ' p r o x y fe a t u r e is in v a lu a b le f o r in s p e c t in g t r a ffic a s it c o m e s t o a n d fr o m y o u r b r o w s e r . T h is a llo w s y o u t o in v e s t ig a te t h in g s lik e h o w c o o k ie s a r e s e t, r e d ir e c t s b e in g is s u e d t o a b r o w s e r , a n d q u e r ie s s e n t fr o m th e b r o w s e r to t h e s e r v e r . W h ile P a r o s in c lu d e s s o m e a u to m a t e d s c a n n in g t o o ls , t h e s e a r e r a th e r w e a k a n d P a r o s r e a lly s h o w s it s s t r e n g t h in t h e h a n d s o f a s k ille d p e n e t r a t io n te s te r w h o k n o w s w h a t t o lo o k f o r . W e w ill s e e h o w t o u s e a ll th e f e a t u r e s a v a ila b le in P A R O S in t h is d o c u m e n t. I n stal l i n g PAROS E n s u r e J a v a R u n T im e E n v ir o n m e n t ( J R E ) 1 . 4 ( o r a b o v e ) w a s in s t a lle d . O n c e y o u h a v e J a v a R u n T im e E n v ir o n m e n t in s t a lle d y o u s t a r t t h e in s t a lla t io n b y e x e c u t in g t h e in s t a lla t io n f ile y o u d o w n lo a d e d f r o m t h e P a r o s P r o x y w e b s it e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  2
PAROS proxy tool T h e f ir s t s c r e e n o f t h e in s t a lle r is t h e w e lc o m e s c r e e n w h ic h le t s y o u k n o w th a t y o u a r e a b o u t t o i n s t a l l P a r o s P r o x y . C l i c k " Ne x t " t o c o n t i n u e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  3
PAROS proxy tool Y o u h a v e n o w in s t a lle d P a r o s P r o x y . C lic k " F in is h " t o e x it t h e in s t a lle r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  4
PAROS proxy tool C o n f i g uri n g Paro s Pro x y S ta r t th e P A R O S p r o x y t o o l. G o t o T o o ls o p t io n s T h e lo c a l p r o x y s e t t in g s c o n t r o ls w h a t a d d r e s s a n d p o r t it s h o u ld lis t e n o n f o r in c o m in g c o n n e c t io n s . R e m e m b e r t o c o n fig u r e y o u r w e b b r o w s e r t o m a tc h t h e s e s e t t in g s . S o , n o w t h a t P a r o s is r u n n in g le t 's s e t u p o u r b r o w s e r t o u t iliz e P a r o s a s a p r o x y . P a r o s , b y d e fa u lt , lis t e n s o n p o r t 8 0 8 0 fo r p r o x y c o n n e c t io n s . I n t h is e x a m p le w e 'r e g o in g t o c o n f ig u r e F ir e f o x 3 t o u t iliz e P a r o s a s a p r o x y . T o d o t h is w e g o t o t h e 'T o o ls ' m e n u a n d s e le c t 'O p t io n s ' . Ne x t y o u w a n t to c lic k o n t h e 'A d v a n c e d ' ic o n a n d s e le c t th e ' Ne t w o r k ' t a b : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  5
PAROS proxy tool No w c l i c k o n t h e ' S e t t i n g s ' b u t t o n i n t h e ' C o n n e c t i o n ' f r a m e . T h i s w i l l b r i n g u p a n e w w in d o w t it le d 'C o n n e c t io n S e t t in g s '. Y o u w a n t t o s e le c t 'M a n u a l p r o x y c o n f ig u r a t io n ' a n d s e t y o u r p r o x y t o 'lo c a lh o s t ' o n p o r t 8 0 8 0 : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  6
PAROS proxy tool C l i c k ' O K ' t o c l o s e a l l t h e w i n d o w s . No w y o u ' l l n o t i c e t h a t w h e n e v e r y o u b r o w s P a r o s ' b la n k in t e r f a c e w ill b e g in t o f ill u p w it h in f o r m a t io n . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  7
PAROS proxy tool U si n g PAROS T h e m a in in t e r fa c e is d iv id e d in t o 3 s e c t io n s 1 . O n th e t o p -l e f t y o u h a v e t h e s i t e s / d i r e c t o r y / p a g e t r e e v i e w . A s y o u b r o w s e p a g e s y o u w ill n o t ic e t h a t m o r e a n d m o r e it e m s a r e a d d e d t o t h is s e c t io n . 2 . O n th e t o p -r i g h t y o u h a v e t h e s e c t i o n t h a t a l l o w s y o u t o i n s p e c t , in t e r c e p t a n d m o d ify t h e s e n t a n d r e c e iv e d d a t a . 3 . O n th e b o t t o m y o u h a v e t h e r e q u e s t / r e s p o n s e h is t o r y o f a n y r e q u e s t b e in g m a d e w h ile u s in g P a r o s . P le a s e n o t e t h a t b y d e f a u lt im a g e r e q u e s t s a r e n o t b e in g d is p la y e d in t h e h is t o r y v ie w . I t a ls o c o n t a in t h e S p id e r r e s u lt s , a n y a le r t s f r o m v a r io u s f ilt e r s a n d f in a lly t h e o u t p u t o f t h e a le r t e d p a g e . No w a c c e s s y o u r w e b s it e ( w h ic h y o u w a n t t o t e s t ) ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  8
PAROS proxy tool W h e n y o u w a n t t o in t e r c e p t r e q u e s t s y o u ju s t g o t o t h e " T r a p " t a b a n d c h e c k t h e " T r a p r e q u e s t " c h e c k b o x ( a n d if y o u w a n t t o in t e r c e p t r e s p o n s e s f r o m t h e s e r v e r y o u c h e c k th e " T r a p r e s p o n s e " c h e c k b o x ) . G E T r e q u e s t s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r f a c e , w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o t h e r d a t a a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . P O S T r e q u e s t s a r e d is p la y e d in b o t h th e h e a d e r a n d t h e b o d y s e c t io n o f t h e in t e r fa c e , b o th w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o th e r d a ta a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . C o o k ie s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r fa c e , w h ic h is m o d if ia b le . J u s t m o d ify th e c o o k ie d e t a ils a n d c lic k " C o n t in u e " t o s e n d th e m o d ifie d r e q u e s t t o t h e s e r v e r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  9
PAROS proxy tool L e t ' s s a y I w a n t t o r e -s u b m i t t h e f o r m b u t t r y s o m e o t h e r v a l u e s . T o d o t h is I d o n 't e v e n n e e d t o le a v e P a r o s . I c a n s im p ly r ig h t c lic k t h e r o w in t h e b o t t o m fr a m e a n d s e le c t 'R e s e n d ': ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 0
PAROS proxy tool S e le c t in g t h is o p t io n b r in g s u p a n e w b o x t h a t s u m m a r iz e s a ll t h e d a t a th a t is g o in g to b e s e n t o n t h e f o r m s u b m is s io n . T h e n ic e th in g a b o u t t h is s u m m a r y d a ta is t h a t it c a n b e m a n ip u la t e d b e f o r e w e s e n d it . C h a n g e th e p a r a m e t e r s y o u w a n t t o te s t a n d s e n d t h e r e q u e s t . Y o u 'll n o t ic e th a t t h e p o p u p w in d o w s w it c h e s o v e r to t h e 'R e s p o n s e ' t a b w h ic h in c lu d e s n o t o n ly t h e h e a d e r d a t a fr o m th e fo r m r e q u e s t , b u t a ls o t h e H T M L t h a t y o u g e t b a c k . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 1
PAROS proxy tool U s in g P a r o s w e c a n e x a m in e c o o k ie s , f o r m f ie ld s a n d o t h e r d a t a , a n d m o d ify t h a t d a ta o n t h e fly a n d r e s u b m it it . T h is is w o n d e r f u l f o r d o in g t h in g s lik e t e s t in g f o r X S S o r S Q L in j e c t io n v u ln e r a b ilit ie s in h a r d t o r e a c h a r e a s o f H T T P c o m m u n ic a t io n s lik e c o o k ie s o r H T T P h e a d e r s . Sp i d er w i th Paro s Pro x y S p id e r is u s e d to c r a w l t h e w e b s it e s a n d g a t h e r a s m a n y U R L lin k s a s p o s s ib le . T h is a llo w s y o u t o h a v e a b e t t e r u n d e r s t a n d in g o f t h e w e b s it e h ie r a r c h y t r e e in a s h o r t t im e b e fo r e m a n u a l n a v ig a t io n . C u r r e n t ly , t h e " S p id e r " f u n c t io n is in b e t a v e r s io n . I t s fu n c t io n a lit ie s in c lu d e : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 2
PAROS proxy tool • C r a w l H T T P a n d H T T P S w e b s it e s b a s e d o n g iv e n U R L , e .g . h t tp : / / w w w .e x a m p le . c o m o r h t t p s : / / w w w . e x a m p le . c o m • S u p p o r t c o o k ie • S u p p o r t p r o x y c h a in in g , w h ic h is s e t a t t h e < P r o x y C h a in > f ie ld in O p t io n t a b ( b u t s e t t in g t h e < S k ip > fie ld h a s n o t e ff e c t o n t h e s p id e r ) • A u to m a t ic a lly a d d U R L lin k s t o t h e w e b s it e h ie r a r c h y t r e e f o r la t e r s c a n n in g . A s it is j u s t a s im p le s p id e r , it h a s t h e f o llo w in g lim it a t io n s : • S S L w e b s it e s w it h in v a lid c e r t if ic a t e c a n n o t b e c r a w le d • M u t i− t h r e a d in g n o t s u p p o r t e d • S o m e ‘m a lf o r m e d ’ U R L s in H T M L p a g e s c a n n o t b e r e c o g n iz e d A ls o , U R L s g e n e r a t e d b y J a v a s c r ip t c a n n o t b e f o u n d u s in g t h is s p id e r . T h o s e U R L s , h o w e v e r , c a n b e f o u n d a n d a d d e d t o t h e h ie r a r c h y t r e e t h r o u g h m a n u a l n a v ig a t io n . F ir s t s e le c t t h e s it e fr o m th e le f t p a n e l ( s it e s ) [ s it e s h o u ld a lr e a d y b r o w s e d fr o m b r o w s e r ] G o t o A n a ly s e s p id e r ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 3
PAROS proxy tool Sc an n i n g w i th Paro s Pro x y T h e s c a n n e r f u n c t io n is t o s c a n th e s e r v e r b a s e d o n t h e w e b s it e h ie r a r c h y ( t h e tr e e o n t h e le ft p a n e l) . I t c a n c h e c k if t h e r e is a n y s e r v e r m is c o n fig u r a t io n . A u t o m a t ic w e b s c a n n e r m a y n o t b e a b le t o f in d o u t th e p a t h s a n d c h e c k if t h e r e e x is t s a n y b a c k u p f ile s ( . b a k ) w h ic h c o u ld e x p o s e s e r v e r in fo r m a t io n . I n o r d e r to u s e th is fu n c t io n , y o u n e e d t o n a v ig a te t h e w e b s it e fir s t . A fte r y o u lo g o n a w e b s it e a n d n a v ig a t e it , a w e b s it e h ie r a r c h y tr e e w ill b e b u ilt b y P a r o s a u to m a t ic a lly . T h e n y o u c a n d o t h e fo llo w in g t h in g s : • I f y o u w a n t t o s c a n a ll w e b s it e s o n t h e t r e e , y o u c a n th e n c lic k o n th e m e n u it e m " T r e e " → " S c a n A ll" t o t r ig g e r t h e s c a n n in g . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 4
PAROS proxy tool • I f y o u j u s t w a n t t o s c a n o n e w e b s it e o n t h e t r e e , y o u c a n c lic k o n t h a t s it e in t h e t r e e p a n e l a n d c l i c k m e n u i t e m " T r e e " → " S c a n s e l e c t e d No d e " ( Y o u c a n a ls o r ig h t − c lic k o n t h e t r e e v ie w a n d c h o o s e t h e o p t io n s ) . C u r r e n t ly , P a r o s h a s t h e f o llo w in g c h e c k s : • H T T P P U T a llo w e d − c h e c k if t h e P U T o p t io n is e n a b le d a t s e r v e r d ir e c t o r ie s • D ir e c t o r y in d e x a b le − c h e c k if th e s e r v e r d ir e c t o r ie s c a n b e b r o w s a b le . • O b s o le t e f ile s e x is t e d − c h e c k if t h e r e e x is t s o b s o le t e f ile s a t • C r o s s − s it e s c r ip t in g − c h e c k if c r o s s − s it e s c r ip t in g ( X S S ) is a llo w e d o n th e q u e r y p a r a m e t e r s • D e fa u lt file s o n w e b s p h e r e s e r v e r – c h e c k if d e f a u lt f ile s e x is t e d o n w e b s p h e r e s e r v e r No t e t h a t a l l t h e a b o v e c h e c k s a r e b a s e d o n t h e U R L s i n t h e w e b s i t e h ie r a r c h y . T h a t m e a n s t h e s c a n n e r w ill c h e c k e a c h U R L f o r e a c h v u ln e r a b ilit y . P a r o s c a n a ls o s a v e a n d r e lo a d s e s s io n s . T h is is a g r e a t t o o l if y o u n e e d t o d o e x p lo r a t io n a t o n e p o in t t h e n la t e r d o a n a ly s is , o r if y o u w a n t t o c o m p a r e t w o s c a n ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 5
PAROS proxy tool s e s s io n s . P a r o s a ls o a llo w s y o u t o s a v e a ll t h e r e p o r t s it p r o d u c e s fo r la t e r e x a m in a t io n o r in c lu s io n in a b r o a d e r a n a ly s is r e p o r t . Sc an n i n g Po l i c y I nfor m ati on g ath er i ng " O b s o le t e f ile " lo o k s fo r b a c k u p c o p ie s o f k n o w n f ile s o f t h e s e r v e r . " P r iv a t e I P d is c lo s u r e " lo o k s f o r r e f e r e n c e s t o in t e r n a l I P a d d r e s s e s w it h in t h e p a g e s a s w e ll a s in e r r o r m e s s a g e s . " S e s s io n I D in U R L r e w r it e " " O b s o le t e f ile e x t e n d e d c h e c k " Cli ent br ow ser " P a s s w o r d A u t o c o m p le t e in b r o w s e r " lo o k s fo r p a s s w o r d f ie ld s w h ic h a llo w s t h e m to b e s a v e d in t h e b r o w s e r . " S e c u r e p a g e b r o w s e r c a c h e " lo o k s f o r s e c u r e ( h t t p s ) p a g e s w h ic h a llo w s t h e m s e lv e s t o b e s t o r e d in t h e b r o w s e r c a c h e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 6
PAROS proxy tool S er v er sec u r i ty " D ir e c t o r y b r o w s in g " lo o k s f o r d ir e c t o r ie s w h ic h d is c lo s e s t h e f ile s in s id e it . " I I S d e f a u lt f ile " lo o k s f o r d e f a u lt I I S ( I n t e r n e t I n f o r m a t io n S e r v ic e ) f ile s . " C o ld F u s io n d e f a u lt f ile " lo o k s f o r d e f a u lt C o ld F u s io n f ile s . " M a c r o m e d ia J R u n d e f a u lt f ile s " lo o k s f o r d e f a u lt M a c r o m e d ia J R u n f ile s . " T o m c a t s o u r c e f ile d is c lo s u r e " " B E A W e b L o g ic e x a m p le f ile s " lo o k s f o r d e f a u lt B E A W e b L o g ic f ile s . " I B M W e b S p h e r e d e f a u lt f ile s " lo o k s f o r d e f a u lt I B M W e b S p h e r e f ile s . " L o t u s D o m in o d e f a u lt f ile s " lo o k s f o r d e f a u lt L o t u s D o m in o f ile s . M i sc ellaneou s T h e r e a r e n o s e t t in g s u n d e r t h is t a b . . . I nj ec ti on " S Q L I n j e c t io n F in g e r p r in t in g " s e n d s c o m m o n S Q L in j e c t io n s t r in g s in t o in p u t f ie ld s a n d lo o k s f o r r e s p o n s e s t h a t m a t c h S Q L e r r o r m e s s a g e s . " C R L F in je c t io n " " S e r v e r s id e in c lu d e " " C r o s s s it e s c r ip t in g " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e . " C r o s s s it e s c r ip t in g w it h o u t b r a c k e t s " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e , e x c e p t it d o e s n 't in j e c t t h e " < " a n d " > " b r a c k e t s in t h e t e s t s t r in g s . " P a r a m e t e r t a m p e r in g " " S Q L I n j e c t io n " " M S S Q L I n je c t io n E n u m e r a t io n " ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 7
PAROS proxy tool C o n c l usi o n P a r o s is a w o n d e r f u l t o o l a n d s h o u ld d e f in it e ly b e f a m ilia r t o a n y w e b a p p lic a t io n s e c u r it y p r o fe s s io n a l. H o w e v e r , P a r o s c a p a b ilit ie s e x t e n d b e y o n d s e c u r it y a n d a r g u e f o r it 's u s e b y w e b d e v e lo p e r s a s w e ll. P a r o s c a n e a s ily m a n g le r e q u e s t s , b u t it a ls o d o e s a w o n d e r f u l j o b o f in s p e c t in g H T T P t r a f f ic a n d id e n t if y in g p r o b le m s . P a r o s is a n e x c e lle n t t o o l fo r t r a c k in g d o w n t h e c a u s e o f a w e b s e r v e r in f in it e r e d ir e c t lo o p , o r a c o o k ie m is c o n f ig u r a t io n , o r o t h e r e lu s iv e p r o b le m t h a t c a n d r iv e y o u m a d if y o u 'r e o n ly a r m e d w it h a w e b b r o w s e r . O f c o u r s e , t h e s a m e e a s e w it h w h ic h P a r o s c a n e x a m in e a n d m a n ip u la t e le g it im a t e t r a f f ic a llo w s p e n e t r a t io n t e s t e r s t o u s e P a r o s t o m a n ip u la t e tr a f f ic in m a lic io u s w a y s . P a r o s is a g r e a t t o o l f o r b lin d p e n e t r a t io n t e s t in g o r d e v e lo p in g p r o o f o f c o n c e p t w e b a p p lic a t io n e x p lo it s . P a r o s ' c r o s s p la t fo r m n a tu r e a ls o a r g u e s f o r it s v a lu e . L e a r n in g t o u s e P a r o s d o e s n 't t ie y o u to a n y p a r t ic u la r o p e r a t in g s y s te m o r p la t f o r m . P a r o s c a n b e u s e d in c o n ju n c t io n w it h a n y b r o w s e r , a n d w o r k s g r e a t a lo n g w it h F ir e f o x a n d p lu g in s lik e T a m p e r D a ta o r w e b d e v e lo p e r .O v e r a ll I fin d P a r o s is o n e o f t h o s e e a s y t o o ls I r e a c h fo r m o r e o ft e n o v e r t im e a n d I t h in k it w o u ld m a k e a v a lu a b le a d d it io n t o a n y w e b d e v e lo p e r o r a p p lic a t io n te s t e r s a r s e n a l. ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 8

Recommended

GPRS INTERFACES
GPRS INTERFACESGPRS INTERFACES
GPRS INTERFACES
Ritayan Bandyopadhyay
 
Bangladesh All Mobile operators query short code.
Bangladesh All Mobile operators query short code.Bangladesh All Mobile operators query short code.
Bangladesh All Mobile operators query short code.
PRAN-RFL Group
 
S1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupS1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setup
Prashant Sengar
 
Cap信令原理
Cap信令原理Cap信令原理
Cap信令原理Bob Huang
 
Bgp
BgpBgp
Bgp
Febrian ‎
 
LTE EPC Technology Essentials
LTE EPC Technology EssentialsLTE EPC Technology Essentials
LTE EPC Technology Essentials
Hussien Mahmoud
 
02_LTE_KPI architecture.pdf
02_LTE_KPI architecture.pdf02_LTE_KPI architecture.pdf
02_LTE_KPI architecture.pdf
VahidZibakalam3
 
PAI Unit 2 Protection in 80386 segmentation
PAI Unit 2 Protection in 80386 segmentationPAI Unit 2 Protection in 80386 segmentation
PAI Unit 2 Protection in 80386 segmentation
KanchanPatil34
 

Recommended

GPRS INTERFACES
GPRS INTERFACESGPRS INTERFACES
GPRS INTERFACES
Ritayan Bandyopadhyay
 
Bangladesh All Mobile operators query short code.
Bangladesh All Mobile operators query short code.Bangladesh All Mobile operators query short code.
Bangladesh All Mobile operators query short code.
PRAN-RFL Group
 
S1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupS1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setup
Prashant Sengar
 
Cap信令原理
Cap信令原理Cap信令原理
Cap信令原理Bob Huang
 
Bgp
BgpBgp
Bgp
Febrian ‎
 
LTE EPC Technology Essentials
LTE EPC Technology EssentialsLTE EPC Technology Essentials
LTE EPC Technology Essentials
Hussien Mahmoud
 
02_LTE_KPI architecture.pdf
02_LTE_KPI architecture.pdf02_LTE_KPI architecture.pdf
02_LTE_KPI architecture.pdf
VahidZibakalam3
 
PAI Unit 2 Protection in 80386 segmentation
PAI Unit 2 Protection in 80386 segmentationPAI Unit 2 Protection in 80386 segmentation
PAI Unit 2 Protection in 80386 segmentation
KanchanPatil34
 
Conversion from infix to prefix using stack
Conversion from infix to prefix using stackConversion from infix to prefix using stack
Conversion from infix to prefix using stack
Haqnawaz Ch
 
Usb protocol
Usb protocol Usb protocol
Usb protocol
PREMAL GAJJAR
 
Network Trends
Network TrendsNetwork Trends
Network Trends
Arun ACE
 
1 tmo18023 umts overview
1 tmo18023 umts overview1 tmo18023 umts overview
1 tmo18023 umts overview
DhairYash Kotwani
 
Nemo outdoor-6-0-manual
Nemo outdoor-6-0-manualNemo outdoor-6-0-manual
Nemo outdoor-6-0-manual
Duc Nguyen Thanh
 
LTE and EPC Specifications
LTE and EPC SpecificationsLTE and EPC Specifications
LTE and EPC Specifications
aliirfan04
 
Introduction to Mobile Core Network
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Network
yusufd
 
Lte basic
Lte basicLte basic
Lte basic
govind sable
 
24.008 section 9.4- gmm messages
24.008 section 9.4- gmm messages24.008 section 9.4- gmm messages
24.008 section 9.4- gmm messages
Mayank Khanna
 
Modul 7 gprs operation
Modul 7 gprs operationModul 7 gprs operation
Modul 7 gprs operation
Wijaya Kusuma
 
Developing rich SIP applications with SIPSIMPLE SDK
Developing rich SIP applications with SIPSIMPLE SDKDeveloping rich SIP applications with SIPSIMPLE SDK
Developing rich SIP applications with SIPSIMPLE SDK
Saúl Ibarra Corretgé
 
LTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc AspectsLTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc Aspects
BP Tiwari
 
LTE Architecture and LTE Attach
LTE Architecture and LTE AttachLTE Architecture and LTE Attach
LTE Architecture and LTE Attach
aliirfan04
 
GGSN-Gateway GPRS Support Node
GGSN-Gateway GPRS Support NodeGGSN-Gateway GPRS Support Node
GGSN-Gateway GPRS Support Node
Mustafa Golam
 
Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01
Neguinho Suárez
 
Experiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9AExperiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9A
user1234
 
Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)
FRANCISCO PAVON RABASCO
 
eTwinning Calendar 2012
eTwinning Calendar 2012eTwinning Calendar 2012
eTwinning Calendar 2012
user1234
 
Portuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, PortugalPortuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, Portugal
user1234
 
La higiene en la preparació dels aliments
La higiene en la preparació dels alimentsLa higiene en la preparació dels aliments
La higiene en la preparació dels alimentscguiu2
 
Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016
Laura Hampton
 
My Audience Profile
My Audience ProfileMy Audience Profile
My Audience Profile
AS Media Column D
 

More Related Content

What's hot

Conversion from infix to prefix using stack
Conversion from infix to prefix using stackConversion from infix to prefix using stack
Conversion from infix to prefix using stack
Haqnawaz Ch
 
Usb protocol
Usb protocol Usb protocol
Usb protocol
PREMAL GAJJAR
 
Network Trends
Network TrendsNetwork Trends
Network Trends
Arun ACE
 
1 tmo18023 umts overview
1 tmo18023 umts overview1 tmo18023 umts overview
1 tmo18023 umts overview
DhairYash Kotwani
 
Nemo outdoor-6-0-manual
Nemo outdoor-6-0-manualNemo outdoor-6-0-manual
Nemo outdoor-6-0-manual
Duc Nguyen Thanh
 
LTE and EPC Specifications
LTE and EPC SpecificationsLTE and EPC Specifications
LTE and EPC Specifications
aliirfan04
 
Introduction to Mobile Core Network
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Network
yusufd
 
Lte basic
Lte basicLte basic
Lte basic
govind sable
 
24.008 section 9.4- gmm messages
24.008 section 9.4- gmm messages24.008 section 9.4- gmm messages
24.008 section 9.4- gmm messages
Mayank Khanna
 
Modul 7 gprs operation
Modul 7 gprs operationModul 7 gprs operation
Modul 7 gprs operation
Wijaya Kusuma
 
Developing rich SIP applications with SIPSIMPLE SDK
Developing rich SIP applications with SIPSIMPLE SDKDeveloping rich SIP applications with SIPSIMPLE SDK
Developing rich SIP applications with SIPSIMPLE SDK
Saúl Ibarra Corretgé
 
LTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc AspectsLTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc Aspects
BP Tiwari
 
LTE Architecture and LTE Attach
LTE Architecture and LTE AttachLTE Architecture and LTE Attach
LTE Architecture and LTE Attach
aliirfan04
 
GGSN-Gateway GPRS Support Node
GGSN-Gateway GPRS Support NodeGGSN-Gateway GPRS Support Node
GGSN-Gateway GPRS Support Node
Mustafa Golam
 

What's hot (14)

Conversion from infix to prefix using stack
Conversion from infix to prefix using stackConversion from infix to prefix using stack
Conversion from infix to prefix using stack
 
Usb protocol
Usb protocol Usb protocol
Usb protocol
 
Network Trends
Network TrendsNetwork Trends
Network Trends
 
1 tmo18023 umts overview
1 tmo18023 umts overview1 tmo18023 umts overview
1 tmo18023 umts overview
 
Nemo outdoor-6-0-manual
Nemo outdoor-6-0-manualNemo outdoor-6-0-manual
Nemo outdoor-6-0-manual
 
LTE and EPC Specifications
LTE and EPC SpecificationsLTE and EPC Specifications
LTE and EPC Specifications
 
Introduction to Mobile Core Network
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Network
 
Lte basic
Lte basicLte basic
Lte basic
 
24.008 section 9.4- gmm messages
24.008 section 9.4- gmm messages24.008 section 9.4- gmm messages
24.008 section 9.4- gmm messages
 
Modul 7 gprs operation
Modul 7 gprs operationModul 7 gprs operation
Modul 7 gprs operation
 
Developing rich SIP applications with SIPSIMPLE SDK
Developing rich SIP applications with SIPSIMPLE SDKDeveloping rich SIP applications with SIPSIMPLE SDK
Developing rich SIP applications with SIPSIMPLE SDK
 
LTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc AspectsLTE Radio Layer 2 And Rrc Aspects
LTE Radio Layer 2 And Rrc Aspects
 
LTE Architecture and LTE Attach
LTE Architecture and LTE AttachLTE Architecture and LTE Attach
LTE Architecture and LTE Attach
 
GGSN-Gateway GPRS Support Node
GGSN-Gateway GPRS Support NodeGGSN-Gateway GPRS Support Node
GGSN-Gateway GPRS Support Node
 

Viewers also liked

Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01
Neguinho Suárez
 
Experiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9AExperiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9A
user1234
 
Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)
FRANCISCO PAVON RABASCO
 
eTwinning Calendar 2012
eTwinning Calendar 2012eTwinning Calendar 2012
eTwinning Calendar 2012
user1234
 
Portuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, PortugalPortuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, Portugal
user1234
 
La higiene en la preparació dels aliments
La higiene en la preparació dels alimentsLa higiene en la preparació dels aliments
La higiene en la preparació dels alimentscguiu2
 
Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016
Laura Hampton
 
My Audience Profile
My Audience ProfileMy Audience Profile
My Audience Profile
AS Media Column D
 
Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?
AS Media Column D
 
Processor grafxtron
Processor grafxtronProcessor grafxtron
Processor grafxtron
Smart Equipments
 
Clase 3. alcantarillado sanitario
Clase 3. alcantarillado sanitarioClase 3. alcantarillado sanitario
Clase 3. alcantarillado sanitario
Ingeniero Edwin Torres Rodríguez
 
Trabajo de miki y èdro
Trabajo de miki y èdroTrabajo de miki y èdro
Trabajo de miki y èdro
aggono
 
El proceso de redaccion
El proceso de redaccionEl proceso de redaccion
El proceso de redaccion
Carlos Alberto Estrada García
 
Lectura de planos2
Lectura de planos2Lectura de planos2
Lectura de planos2
jose benavides
 
Clase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográficaClase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográfica
Universidad Libre
 

Viewers also liked (15)

Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01
 
Experiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9AExperiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9A
 
Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)
 
eTwinning Calendar 2012
eTwinning Calendar 2012eTwinning Calendar 2012
eTwinning Calendar 2012
 
Portuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, PortugalPortuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, Portugal
 
La higiene en la preparació dels aliments
La higiene en la preparació dels alimentsLa higiene en la preparació dels aliments
La higiene en la preparació dels aliments
 
Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016
 
My Audience Profile
My Audience ProfileMy Audience Profile
My Audience Profile
 
Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?
 
Processor grafxtron
Processor grafxtronProcessor grafxtron
Processor grafxtron
 
Clase 3. alcantarillado sanitario
Clase 3. alcantarillado sanitarioClase 3. alcantarillado sanitario
Clase 3. alcantarillado sanitario
 
Trabajo de miki y èdro
Trabajo de miki y èdroTrabajo de miki y èdro
Trabajo de miki y èdro
 
El proceso de redaccion
El proceso de redaccionEl proceso de redaccion
El proceso de redaccion
 
Lectura de planos2
Lectura de planos2Lectura de planos2
Lectura de planos2
 
Clase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográficaClase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográfica
 

PAROS proxy tool

  • 1. PAROS proxy tool Table of Contents PAROS Features: ............................................................................................................ 2 I n stal l i n g PAROS............................................................................................................ 2 C o n f i g uri n g Paro s Pro x y ................................................................................................. 5 U si n g PAROS ................................................................................................................. 8 Sp i d er w i th Paro s Pro x y ................................................................................................ 1 2 Sc an n i n g w i th Paro s Pro x y ........................................................................................... 1 4 Sc an n i n g Po l i c y ............................................................................................................ 1 6 C o n c l usi o n .................................................................................................................... 1 8 ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹ 
  • 2. PAROS proxy tool P A R O S is a p r o g r a m fo r p e o p le w h o n e e d t o e v a lu a t e t h e s e c u r it y o f t h e ir w e b a p p lic a t io n s . I t is fr e e o f c h a r g e a n d c o m p le t e ly w r it t e n in J a v a . T h r o u g h P a r o s 's p r o x y n a tu r e , a ll H T T P a n d H T T P S d a ta b e t w e e n s e r v e r a n d c lie n t , in c lu d in g c o o k ie s a n d fo r m f ie ld s , c a n b e in t e r c e p t e d a n d m o d if ie d . D o w n lo a d P A R O S : h t t p : / / w w w . p a r o s p r o x y . o r g / d o w n lo a d . s h t m l PAROS Features: P a r o s ' p r o x y fe a t u r e is in v a lu a b le f o r in s p e c t in g t r a ffic a s it c o m e s t o a n d fr o m y o u r b r o w s e r . T h is a llo w s y o u t o in v e s t ig a te t h in g s lik e h o w c o o k ie s a r e s e t, r e d ir e c t s b e in g is s u e d t o a b r o w s e r , a n d q u e r ie s s e n t fr o m th e b r o w s e r to t h e s e r v e r . W h ile P a r o s in c lu d e s s o m e a u to m a t e d s c a n n in g t o o ls , t h e s e a r e r a th e r w e a k a n d P a r o s r e a lly s h o w s it s s t r e n g t h in t h e h a n d s o f a s k ille d p e n e t r a t io n te s te r w h o k n o w s w h a t t o lo o k f o r . W e w ill s e e h o w t o u s e a ll th e f e a t u r e s a v a ila b le in P A R O S in t h is d o c u m e n t. I n stal l i n g PAROS E n s u r e J a v a R u n T im e E n v ir o n m e n t ( J R E ) 1 . 4 ( o r a b o v e ) w a s in s t a lle d . O n c e y o u h a v e J a v a R u n T im e E n v ir o n m e n t in s t a lle d y o u s t a r t t h e in s t a lla t io n b y e x e c u t in g t h e in s t a lla t io n f ile y o u d o w n lo a d e d f r o m t h e P a r o s P r o x y w e b s it e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  2
  • 3. PAROS proxy tool T h e f ir s t s c r e e n o f t h e in s t a lle r is t h e w e lc o m e s c r e e n w h ic h le t s y o u k n o w th a t y o u a r e a b o u t t o i n s t a l l P a r o s P r o x y . C l i c k " Ne x t " t o c o n t i n u e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  3
  • 4. PAROS proxy tool Y o u h a v e n o w in s t a lle d P a r o s P r o x y . C lic k " F in is h " t o e x it t h e in s t a lle r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  4
  • 5. PAROS proxy tool C o n f i g uri n g Paro s Pro x y S ta r t th e P A R O S p r o x y t o o l. G o t o T o o ls o p t io n s T h e lo c a l p r o x y s e t t in g s c o n t r o ls w h a t a d d r e s s a n d p o r t it s h o u ld lis t e n o n f o r in c o m in g c o n n e c t io n s . R e m e m b e r t o c o n fig u r e y o u r w e b b r o w s e r t o m a tc h t h e s e s e t t in g s . S o , n o w t h a t P a r o s is r u n n in g le t 's s e t u p o u r b r o w s e r t o u t iliz e P a r o s a s a p r o x y . P a r o s , b y d e fa u lt , lis t e n s o n p o r t 8 0 8 0 fo r p r o x y c o n n e c t io n s . I n t h is e x a m p le w e 'r e g o in g t o c o n f ig u r e F ir e f o x 3 t o u t iliz e P a r o s a s a p r o x y . T o d o t h is w e g o t o t h e 'T o o ls ' m e n u a n d s e le c t 'O p t io n s ' . Ne x t y o u w a n t to c lic k o n t h e 'A d v a n c e d ' ic o n a n d s e le c t th e ' Ne t w o r k ' t a b : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  5
  • 6. PAROS proxy tool No w c l i c k o n t h e ' S e t t i n g s ' b u t t o n i n t h e ' C o n n e c t i o n ' f r a m e . T h i s w i l l b r i n g u p a n e w w in d o w t it le d 'C o n n e c t io n S e t t in g s '. Y o u w a n t t o s e le c t 'M a n u a l p r o x y c o n f ig u r a t io n ' a n d s e t y o u r p r o x y t o 'lo c a lh o s t ' o n p o r t 8 0 8 0 : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  6
  • 7. PAROS proxy tool C l i c k ' O K ' t o c l o s e a l l t h e w i n d o w s . No w y o u ' l l n o t i c e t h a t w h e n e v e r y o u b r o w s P a r o s ' b la n k in t e r f a c e w ill b e g in t o f ill u p w it h in f o r m a t io n . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  7
  • 8. PAROS proxy tool U si n g PAROS T h e m a in in t e r fa c e is d iv id e d in t o 3 s e c t io n s 1 . O n th e t o p -l e f t y o u h a v e t h e s i t e s / d i r e c t o r y / p a g e t r e e v i e w . A s y o u b r o w s e p a g e s y o u w ill n o t ic e t h a t m o r e a n d m o r e it e m s a r e a d d e d t o t h is s e c t io n . 2 . O n th e t o p -r i g h t y o u h a v e t h e s e c t i o n t h a t a l l o w s y o u t o i n s p e c t , in t e r c e p t a n d m o d ify t h e s e n t a n d r e c e iv e d d a t a . 3 . O n th e b o t t o m y o u h a v e t h e r e q u e s t / r e s p o n s e h is t o r y o f a n y r e q u e s t b e in g m a d e w h ile u s in g P a r o s . P le a s e n o t e t h a t b y d e f a u lt im a g e r e q u e s t s a r e n o t b e in g d is p la y e d in t h e h is t o r y v ie w . I t a ls o c o n t a in t h e S p id e r r e s u lt s , a n y a le r t s f r o m v a r io u s f ilt e r s a n d f in a lly t h e o u t p u t o f t h e a le r t e d p a g e . No w a c c e s s y o u r w e b s it e ( w h ic h y o u w a n t t o t e s t ) ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  8
  • 9. PAROS proxy tool W h e n y o u w a n t t o in t e r c e p t r e q u e s t s y o u ju s t g o t o t h e " T r a p " t a b a n d c h e c k t h e " T r a p r e q u e s t " c h e c k b o x ( a n d if y o u w a n t t o in t e r c e p t r e s p o n s e s f r o m t h e s e r v e r y o u c h e c k th e " T r a p r e s p o n s e " c h e c k b o x ) . G E T r e q u e s t s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r f a c e , w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o t h e r d a t a a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . P O S T r e q u e s t s a r e d is p la y e d in b o t h th e h e a d e r a n d t h e b o d y s e c t io n o f t h e in t e r fa c e , b o th w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o th e r d a ta a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . C o o k ie s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r fa c e , w h ic h is m o d if ia b le . J u s t m o d ify th e c o o k ie d e t a ils a n d c lic k " C o n t in u e " t o s e n d th e m o d ifie d r e q u e s t t o t h e s e r v e r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  9
  • 10. PAROS proxy tool L e t ' s s a y I w a n t t o r e -s u b m i t t h e f o r m b u t t r y s o m e o t h e r v a l u e s . T o d o t h is I d o n 't e v e n n e e d t o le a v e P a r o s . I c a n s im p ly r ig h t c lic k t h e r o w in t h e b o t t o m fr a m e a n d s e le c t 'R e s e n d ': ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 0
  • 11. PAROS proxy tool S e le c t in g t h is o p t io n b r in g s u p a n e w b o x t h a t s u m m a r iz e s a ll t h e d a t a th a t is g o in g to b e s e n t o n t h e f o r m s u b m is s io n . T h e n ic e th in g a b o u t t h is s u m m a r y d a ta is t h a t it c a n b e m a n ip u la t e d b e f o r e w e s e n d it . C h a n g e th e p a r a m e t e r s y o u w a n t t o te s t a n d s e n d t h e r e q u e s t . Y o u 'll n o t ic e th a t t h e p o p u p w in d o w s w it c h e s o v e r to t h e 'R e s p o n s e ' t a b w h ic h in c lu d e s n o t o n ly t h e h e a d e r d a t a fr o m th e fo r m r e q u e s t , b u t a ls o t h e H T M L t h a t y o u g e t b a c k . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 1
  • 12. PAROS proxy tool U s in g P a r o s w e c a n e x a m in e c o o k ie s , f o r m f ie ld s a n d o t h e r d a t a , a n d m o d ify t h a t d a ta o n t h e fly a n d r e s u b m it it . T h is is w o n d e r f u l f o r d o in g t h in g s lik e t e s t in g f o r X S S o r S Q L in j e c t io n v u ln e r a b ilit ie s in h a r d t o r e a c h a r e a s o f H T T P c o m m u n ic a t io n s lik e c o o k ie s o r H T T P h e a d e r s . Sp i d er w i th Paro s Pro x y S p id e r is u s e d to c r a w l t h e w e b s it e s a n d g a t h e r a s m a n y U R L lin k s a s p o s s ib le . T h is a llo w s y o u t o h a v e a b e t t e r u n d e r s t a n d in g o f t h e w e b s it e h ie r a r c h y t r e e in a s h o r t t im e b e fo r e m a n u a l n a v ig a t io n . C u r r e n t ly , t h e " S p id e r " f u n c t io n is in b e t a v e r s io n . I t s fu n c t io n a lit ie s in c lu d e : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 2
  • 13. PAROS proxy tool • C r a w l H T T P a n d H T T P S w e b s it e s b a s e d o n g iv e n U R L , e .g . h t tp : / / w w w .e x a m p le . c o m o r h t t p s : / / w w w . e x a m p le . c o m • S u p p o r t c o o k ie • S u p p o r t p r o x y c h a in in g , w h ic h is s e t a t t h e < P r o x y C h a in > f ie ld in O p t io n t a b ( b u t s e t t in g t h e < S k ip > fie ld h a s n o t e ff e c t o n t h e s p id e r ) • A u to m a t ic a lly a d d U R L lin k s t o t h e w e b s it e h ie r a r c h y t r e e f o r la t e r s c a n n in g . A s it is j u s t a s im p le s p id e r , it h a s t h e f o llo w in g lim it a t io n s : • S S L w e b s it e s w it h in v a lid c e r t if ic a t e c a n n o t b e c r a w le d • M u t i− t h r e a d in g n o t s u p p o r t e d • S o m e ‘m a lf o r m e d ’ U R L s in H T M L p a g e s c a n n o t b e r e c o g n iz e d A ls o , U R L s g e n e r a t e d b y J a v a s c r ip t c a n n o t b e f o u n d u s in g t h is s p id e r . T h o s e U R L s , h o w e v e r , c a n b e f o u n d a n d a d d e d t o t h e h ie r a r c h y t r e e t h r o u g h m a n u a l n a v ig a t io n . F ir s t s e le c t t h e s it e fr o m th e le f t p a n e l ( s it e s ) [ s it e s h o u ld a lr e a d y b r o w s e d fr o m b r o w s e r ] G o t o A n a ly s e s p id e r ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 3
  • 14. PAROS proxy tool Sc an n i n g w i th Paro s Pro x y T h e s c a n n e r f u n c t io n is t o s c a n th e s e r v e r b a s e d o n t h e w e b s it e h ie r a r c h y ( t h e tr e e o n t h e le ft p a n e l) . I t c a n c h e c k if t h e r e is a n y s e r v e r m is c o n fig u r a t io n . A u t o m a t ic w e b s c a n n e r m a y n o t b e a b le t o f in d o u t th e p a t h s a n d c h e c k if t h e r e e x is t s a n y b a c k u p f ile s ( . b a k ) w h ic h c o u ld e x p o s e s e r v e r in fo r m a t io n . I n o r d e r to u s e th is fu n c t io n , y o u n e e d t o n a v ig a te t h e w e b s it e fir s t . A fte r y o u lo g o n a w e b s it e a n d n a v ig a t e it , a w e b s it e h ie r a r c h y tr e e w ill b e b u ilt b y P a r o s a u to m a t ic a lly . T h e n y o u c a n d o t h e fo llo w in g t h in g s : • I f y o u w a n t t o s c a n a ll w e b s it e s o n t h e t r e e , y o u c a n th e n c lic k o n th e m e n u it e m " T r e e " → " S c a n A ll" t o t r ig g e r t h e s c a n n in g . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 4
  • 15. PAROS proxy tool • I f y o u j u s t w a n t t o s c a n o n e w e b s it e o n t h e t r e e , y o u c a n c lic k o n t h a t s it e in t h e t r e e p a n e l a n d c l i c k m e n u i t e m " T r e e " → " S c a n s e l e c t e d No d e " ( Y o u c a n a ls o r ig h t − c lic k o n t h e t r e e v ie w a n d c h o o s e t h e o p t io n s ) . C u r r e n t ly , P a r o s h a s t h e f o llo w in g c h e c k s : • H T T P P U T a llo w e d − c h e c k if t h e P U T o p t io n is e n a b le d a t s e r v e r d ir e c t o r ie s • D ir e c t o r y in d e x a b le − c h e c k if th e s e r v e r d ir e c t o r ie s c a n b e b r o w s a b le . • O b s o le t e f ile s e x is t e d − c h e c k if t h e r e e x is t s o b s o le t e f ile s a t • C r o s s − s it e s c r ip t in g − c h e c k if c r o s s − s it e s c r ip t in g ( X S S ) is a llo w e d o n th e q u e r y p a r a m e t e r s • D e fa u lt file s o n w e b s p h e r e s e r v e r – c h e c k if d e f a u lt f ile s e x is t e d o n w e b s p h e r e s e r v e r No t e t h a t a l l t h e a b o v e c h e c k s a r e b a s e d o n t h e U R L s i n t h e w e b s i t e h ie r a r c h y . T h a t m e a n s t h e s c a n n e r w ill c h e c k e a c h U R L f o r e a c h v u ln e r a b ilit y . P a r o s c a n a ls o s a v e a n d r e lo a d s e s s io n s . T h is is a g r e a t t o o l if y o u n e e d t o d o e x p lo r a t io n a t o n e p o in t t h e n la t e r d o a n a ly s is , o r if y o u w a n t t o c o m p a r e t w o s c a n ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 5
  • 16. PAROS proxy tool s e s s io n s . P a r o s a ls o a llo w s y o u t o s a v e a ll t h e r e p o r t s it p r o d u c e s fo r la t e r e x a m in a t io n o r in c lu s io n in a b r o a d e r a n a ly s is r e p o r t . Sc an n i n g Po l i c y I nfor m ati on g ath er i ng " O b s o le t e f ile " lo o k s fo r b a c k u p c o p ie s o f k n o w n f ile s o f t h e s e r v e r . " P r iv a t e I P d is c lo s u r e " lo o k s f o r r e f e r e n c e s t o in t e r n a l I P a d d r e s s e s w it h in t h e p a g e s a s w e ll a s in e r r o r m e s s a g e s . " S e s s io n I D in U R L r e w r it e " " O b s o le t e f ile e x t e n d e d c h e c k " Cli ent br ow ser " P a s s w o r d A u t o c o m p le t e in b r o w s e r " lo o k s fo r p a s s w o r d f ie ld s w h ic h a llo w s t h e m to b e s a v e d in t h e b r o w s e r . " S e c u r e p a g e b r o w s e r c a c h e " lo o k s f o r s e c u r e ( h t t p s ) p a g e s w h ic h a llo w s t h e m s e lv e s t o b e s t o r e d in t h e b r o w s e r c a c h e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 6
  • 17. PAROS proxy tool S er v er sec u r i ty " D ir e c t o r y b r o w s in g " lo o k s f o r d ir e c t o r ie s w h ic h d is c lo s e s t h e f ile s in s id e it . " I I S d e f a u lt f ile " lo o k s f o r d e f a u lt I I S ( I n t e r n e t I n f o r m a t io n S e r v ic e ) f ile s . " C o ld F u s io n d e f a u lt f ile " lo o k s f o r d e f a u lt C o ld F u s io n f ile s . " M a c r o m e d ia J R u n d e f a u lt f ile s " lo o k s f o r d e f a u lt M a c r o m e d ia J R u n f ile s . " T o m c a t s o u r c e f ile d is c lo s u r e " " B E A W e b L o g ic e x a m p le f ile s " lo o k s f o r d e f a u lt B E A W e b L o g ic f ile s . " I B M W e b S p h e r e d e f a u lt f ile s " lo o k s f o r d e f a u lt I B M W e b S p h e r e f ile s . " L o t u s D o m in o d e f a u lt f ile s " lo o k s f o r d e f a u lt L o t u s D o m in o f ile s . M i sc ellaneou s T h e r e a r e n o s e t t in g s u n d e r t h is t a b . . . I nj ec ti on " S Q L I n j e c t io n F in g e r p r in t in g " s e n d s c o m m o n S Q L in j e c t io n s t r in g s in t o in p u t f ie ld s a n d lo o k s f o r r e s p o n s e s t h a t m a t c h S Q L e r r o r m e s s a g e s . " C R L F in je c t io n " " S e r v e r s id e in c lu d e " " C r o s s s it e s c r ip t in g " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e . " C r o s s s it e s c r ip t in g w it h o u t b r a c k e t s " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e , e x c e p t it d o e s n 't in j e c t t h e " < " a n d " > " b r a c k e t s in t h e t e s t s t r in g s . " P a r a m e t e r t a m p e r in g " " S Q L I n j e c t io n " " M S S Q L I n je c t io n E n u m e r a t io n " ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 7
  • 18. PAROS proxy tool C o n c l usi o n P a r o s is a w o n d e r f u l t o o l a n d s h o u ld d e f in it e ly b e f a m ilia r t o a n y w e b a p p lic a t io n s e c u r it y p r o fe s s io n a l. H o w e v e r , P a r o s c a p a b ilit ie s e x t e n d b e y o n d s e c u r it y a n d a r g u e f o r it 's u s e b y w e b d e v e lo p e r s a s w e ll. P a r o s c a n e a s ily m a n g le r e q u e s t s , b u t it a ls o d o e s a w o n d e r f u l j o b o f in s p e c t in g H T T P t r a f f ic a n d id e n t if y in g p r o b le m s . P a r o s is a n e x c e lle n t t o o l fo r t r a c k in g d o w n t h e c a u s e o f a w e b s e r v e r in f in it e r e d ir e c t lo o p , o r a c o o k ie m is c o n f ig u r a t io n , o r o t h e r e lu s iv e p r o b le m t h a t c a n d r iv e y o u m a d if y o u 'r e o n ly a r m e d w it h a w e b b r o w s e r . O f c o u r s e , t h e s a m e e a s e w it h w h ic h P a r o s c a n e x a m in e a n d m a n ip u la t e le g it im a t e t r a f f ic a llo w s p e n e t r a t io n t e s t e r s t o u s e P a r o s t o m a n ip u la t e tr a f f ic in m a lic io u s w a y s . P a r o s is a g r e a t t o o l f o r b lin d p e n e t r a t io n t e s t in g o r d e v e lo p in g p r o o f o f c o n c e p t w e b a p p lic a t io n e x p lo it s . P a r o s ' c r o s s p la t fo r m n a tu r e a ls o a r g u e s f o r it s v a lu e . L e a r n in g t o u s e P a r o s d o e s n 't t ie y o u to a n y p a r t ic u la r o p e r a t in g s y s te m o r p la t f o r m . P a r o s c a n b e u s e d in c o n ju n c t io n w it h a n y b r o w s e r , a n d w o r k s g r e a t a lo n g w it h F ir e f o x a n d p lu g in s lik e T a m p e r D a ta o r w e b d e v e lo p e r .O v e r a ll I fin d P a r o s is o n e o f t h o s e e a s y t o o ls I r e a c h fo r m o r e o ft e n o v e r t im e a n d I t h in k it w o u ld m a k e a v a lu a b le a d d it io n t o a n y w e b d e v e lo p e r o r a p p lic a t io n te s t e r s a r s e n a l. ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 8