際際滷

際際滷Share a Scribd company logo

PAROS proxy tool

Joseph ...
Joseph ...

PAROS proxy tool - A tool check your web application security

1 of 18
PAROS proxy tool Table of Contents PAROS Features: ............................................................................................................ 2 I n stal l i n g PAROS............................................................................................................ 2 C o n f i g uri n g Paro s Pro x y ................................................................................................. 5 U si n g PAROS ................................................................................................................. 8 Sp i d er w i th Paro s Pro x y ................................................................................................ 1 2 Sc an n i n g w i th Paro s Pro x y ........................................................................................... 1 4 Sc an n i n g Po l i c y ............................................................................................................ 1 6 C o n c l usi o n .................................................................................................................... 1 8 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼
PAROS proxy tool P A R O S is a p r o g r a m fo r p e o p le w h o n e e d t o e v a lu a t e t h e s e c u r it y o f t h e ir w e b a p p lic a t io n s . I t is fr e e o f c h a r g e a n d c o m p le t e ly w r it t e n in J a v a . T h r o u g h P a r o s 's p r o x y n a tu r e , a ll H T T P a n d H T T P S d a ta b e t w e e n s e r v e r a n d c lie n t , in c lu d in g c o o k ie s a n d fo r m f ie ld s , c a n b e in t e r c e p t e d a n d m o d if ie d . D o w n lo a d P A R O S : h t t p : / / w w w . p a r o s p r o x y . o r g / d o w n lo a d . s h t m l PAROS Features: P a r o s ' p r o x y fe a t u r e is in v a lu a b le f o r in s p e c t in g t r a ffic a s it c o m e s t o a n d fr o m y o u r b r o w s e r . T h is a llo w s y o u t o in v e s t ig a te t h in g s lik e h o w c o o k ie s a r e s e t, r e d ir e c t s b e in g is s u e d t o a b r o w s e r , a n d q u e r ie s s e n t fr o m th e b r o w s e r to t h e s e r v e r . W h ile P a r o s in c lu d e s s o m e a u to m a t e d s c a n n in g t o o ls , t h e s e a r e r a th e r w e a k a n d P a r o s r e a lly s h o w s it s s t r e n g t h in t h e h a n d s o f a s k ille d p e n e t r a t io n te s te r w h o k n o w s w h a t t o lo o k f o r . W e w ill s e e h o w t o u s e a ll th e f e a t u r e s a v a ila b le in P A R O S in t h is d o c u m e n t. I n stal l i n g PAROS E n s u r e J a v a R u n T im e E n v ir o n m e n t ( J R E ) 1 . 4 ( o r a b o v e ) w a s in s t a lle d . O n c e y o u h a v e J a v a R u n T im e E n v ir o n m e n t in s t a lle d y o u s t a r t t h e in s t a lla t io n b y e x e c u t in g t h e in s t a lla t io n f ile y o u d o w n lo a d e d f r o m t h e P a r o s P r o x y w e b s it e . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 2
PAROS proxy tool T h e f ir s t s c r e e n o f t h e in s t a lle r is t h e w e lc o m e s c r e e n w h ic h le t s y o u k n o w th a t y o u a r e a b o u t t o i n s t a l l P a r o s P r o x y . C l i c k " Ne x t " t o c o n t i n u e . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 3
PAROS proxy tool Y o u h a v e n o w in s t a lle d P a r o s P r o x y . C lic k " F in is h " t o e x it t h e in s t a lle r . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 4
PAROS proxy tool C o n f i g uri n g Paro s Pro x y S ta r t th e P A R O S p r o x y t o o l. G o t o T o o ls o p t io n s T h e lo c a l p r o x y s e t t in g s c o n t r o ls w h a t a d d r e s s a n d p o r t it s h o u ld lis t e n o n f o r in c o m in g c o n n e c t io n s . R e m e m b e r t o c o n fig u r e y o u r w e b b r o w s e r t o m a tc h t h e s e s e t t in g s . S o , n o w t h a t P a r o s is r u n n in g le t 's s e t u p o u r b r o w s e r t o u t iliz e P a r o s a s a p r o x y . P a r o s , b y d e fa u lt , lis t e n s o n p o r t 8 0 8 0 fo r p r o x y c o n n e c t io n s . I n t h is e x a m p le w e 'r e g o in g t o c o n f ig u r e F ir e f o x 3 t o u t iliz e P a r o s a s a p r o x y . T o d o t h is w e g o t o t h e 'T o o ls ' m e n u a n d s e le c t 'O p t io n s ' . Ne x t y o u w a n t to c lic k o n t h e 'A d v a n c e d ' ic o n a n d s e le c t th e ' Ne t w o r k ' t a b : 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 5
PAROS proxy tool No w c l i c k o n t h e ' S e t t i n g s ' b u t t o n i n t h e ' C o n n e c t i o n ' f r a m e . T h i s w i l l b r i n g u p a n e w w in d o w t it le d 'C o n n e c t io n S e t t in g s '. Y o u w a n t t o s e le c t 'M a n u a l p r o x y c o n f ig u r a t io n ' a n d s e t y o u r p r o x y t o 'lo c a lh o s t ' o n p o r t 8 0 8 0 : 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 6
PAROS proxy tool C l i c k ' O K ' t o c l o s e a l l t h e w i n d o w s . No w y o u ' l l n o t i c e t h a t w h e n e v e r y o u b r o w s P a r o s ' b la n k in t e r f a c e w ill b e g in t o f ill u p w it h in f o r m a t io n . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 7
PAROS proxy tool U si n g PAROS T h e m a in in t e r fa c e is d iv id e d in t o 3 s e c t io n s 1 . O n th e t o p -l e f t y o u h a v e t h e s i t e s / d i r e c t o r y / p a g e t r e e v i e w . A s y o u b r o w s e p a g e s y o u w ill n o t ic e t h a t m o r e a n d m o r e it e m s a r e a d d e d t o t h is s e c t io n . 2 . O n th e t o p -r i g h t y o u h a v e t h e s e c t i o n t h a t a l l o w s y o u t o i n s p e c t , in t e r c e p t a n d m o d ify t h e s e n t a n d r e c e iv e d d a t a . 3 . O n th e b o t t o m y o u h a v e t h e r e q u e s t / r e s p o n s e h is t o r y o f a n y r e q u e s t b e in g m a d e w h ile u s in g P a r o s . P le a s e n o t e t h a t b y d e f a u lt im a g e r e q u e s t s a r e n o t b e in g d is p la y e d in t h e h is t o r y v ie w . I t a ls o c o n t a in t h e S p id e r r e s u lt s , a n y a le r t s f r o m v a r io u s f ilt e r s a n d f in a lly t h e o u t p u t o f t h e a le r t e d p a g e . No w a c c e s s y o u r w e b s it e ( w h ic h y o u w a n t t o t e s t ) 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 8
PAROS proxy tool W h e n y o u w a n t t o in t e r c e p t r e q u e s t s y o u ju s t g o t o t h e " T r a p " t a b a n d c h e c k t h e " T r a p r e q u e s t " c h e c k b o x ( a n d if y o u w a n t t o in t e r c e p t r e s p o n s e s f r o m t h e s e r v e r y o u c h e c k th e " T r a p r e s p o n s e " c h e c k b o x ) . G E T r e q u e s t s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r f a c e , w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o t h e r d a t a a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . P O S T r e q u e s t s a r e d is p la y e d in b o t h th e h e a d e r a n d t h e b o d y s e c t io n o f t h e in t e r fa c e , b o th w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o th e r d a ta a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . C o o k ie s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r fa c e , w h ic h is m o d if ia b le . J u s t m o d ify th e c o o k ie d e t a ils a n d c lic k " C o n t in u e " t o s e n d th e m o d ifie d r e q u e s t t o t h e s e r v e r . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 9
PAROS proxy tool L e t ' s s a y I w a n t t o r e -s u b m i t t h e f o r m b u t t r y s o m e o t h e r v a l u e s . T o d o t h is I d o n 't e v e n n e e d t o le a v e P a r o s . I c a n s im p ly r ig h t c lic k t h e r o w in t h e b o t t o m fr a m e a n d s e le c t 'R e s e n d ': 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 0
PAROS proxy tool S e le c t in g t h is o p t io n b r in g s u p a n e w b o x t h a t s u m m a r iz e s a ll t h e d a t a th a t is g o in g to b e s e n t o n t h e f o r m s u b m is s io n . T h e n ic e th in g a b o u t t h is s u m m a r y d a ta is t h a t it c a n b e m a n ip u la t e d b e f o r e w e s e n d it . C h a n g e th e p a r a m e t e r s y o u w a n t t o te s t a n d s e n d t h e r e q u e s t . Y o u 'll n o t ic e th a t t h e p o p u p w in d o w s w it c h e s o v e r to t h e 'R e s p o n s e ' t a b w h ic h in c lu d e s n o t o n ly t h e h e a d e r d a t a fr o m th e fo r m r e q u e s t , b u t a ls o t h e H T M L t h a t y o u g e t b a c k . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 1
PAROS proxy tool U s in g P a r o s w e c a n e x a m in e c o o k ie s , f o r m f ie ld s a n d o t h e r d a t a , a n d m o d ify t h a t d a ta o n t h e fly a n d r e s u b m it it . T h is is w o n d e r f u l f o r d o in g t h in g s lik e t e s t in g f o r X S S o r S Q L in j e c t io n v u ln e r a b ilit ie s in h a r d t o r e a c h a r e a s o f H T T P c o m m u n ic a t io n s lik e c o o k ie s o r H T T P h e a d e r s . Sp i d er w i th Paro s Pro x y S p id e r is u s e d to c r a w l t h e w e b s it e s a n d g a t h e r a s m a n y U R L lin k s a s p o s s ib le . T h is a llo w s y o u t o h a v e a b e t t e r u n d e r s t a n d in g o f t h e w e b s it e h ie r a r c h y t r e e in a s h o r t t im e b e fo r e m a n u a l n a v ig a t io n . C u r r e n t ly , t h e " S p id e r " f u n c t io n is in b e t a v e r s io n . I t s fu n c t io n a lit ie s in c lu d e : 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 2
PAROS proxy tool C r a w l H T T P a n d H T T P S w e b s it e s b a s e d o n g iv e n U R L , e .g . h t tp : / / w w w .e x a m p le . c o m o r h t t p s : / / w w w . e x a m p le . c o m S u p p o r t c o o k ie S u p p o r t p r o x y c h a in in g , w h ic h is s e t a t t h e < P r o x y C h a in > f ie ld in O p t io n t a b ( b u t s e t t in g t h e < S k ip > fie ld h a s n o t e ff e c t o n t h e s p id e r ) A u to m a t ic a lly a d d U R L lin k s t o t h e w e b s it e h ie r a r c h y t r e e f o r la t e r s c a n n in g . A s it is j u s t a s im p le s p id e r , it h a s t h e f o llo w in g lim it a t io n s : S S L w e b s it e s w it h in v a lid c e r t if ic a t e c a n n o t b e c r a w le d M u t i t h r e a d in g n o t s u p p o r t e d S o m e m a lf o r m e d U R L s in H T M L p a g e s c a n n o t b e r e c o g n iz e d A ls o , U R L s g e n e r a t e d b y J a v a s c r ip t c a n n o t b e f o u n d u s in g t h is s p id e r . T h o s e U R L s , h o w e v e r , c a n b e f o u n d a n d a d d e d t o t h e h ie r a r c h y t r e e t h r o u g h m a n u a l n a v ig a t io n . F ir s t s e le c t t h e s it e fr o m th e le f t p a n e l ( s it e s ) [ s it e s h o u ld a lr e a d y b r o w s e d fr o m b r o w s e r ] G o t o A n a ly s e s p id e r 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 3
PAROS proxy tool Sc an n i n g w i th Paro s Pro x y T h e s c a n n e r f u n c t io n is t o s c a n th e s e r v e r b a s e d o n t h e w e b s it e h ie r a r c h y ( t h e tr e e o n t h e le ft p a n e l) . I t c a n c h e c k if t h e r e is a n y s e r v e r m is c o n fig u r a t io n . A u t o m a t ic w e b s c a n n e r m a y n o t b e a b le t o f in d o u t th e p a t h s a n d c h e c k if t h e r e e x is t s a n y b a c k u p f ile s ( . b a k ) w h ic h c o u ld e x p o s e s e r v e r in fo r m a t io n . I n o r d e r to u s e th is fu n c t io n , y o u n e e d t o n a v ig a te t h e w e b s it e fir s t . A fte r y o u lo g o n a w e b s it e a n d n a v ig a t e it , a w e b s it e h ie r a r c h y tr e e w ill b e b u ilt b y P a r o s a u to m a t ic a lly . T h e n y o u c a n d o t h e fo llo w in g t h in g s : I f y o u w a n t t o s c a n a ll w e b s it e s o n t h e t r e e , y o u c a n th e n c lic k o n th e m e n u it e m " T r e e " " S c a n A ll" t o t r ig g e r t h e s c a n n in g . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 4
PAROS proxy tool I f y o u j u s t w a n t t o s c a n o n e w e b s it e o n t h e t r e e , y o u c a n c lic k o n t h a t s it e in t h e t r e e p a n e l a n d c l i c k m e n u i t e m " T r e e " " S c a n s e l e c t e d No d e " ( Y o u c a n a ls o r ig h t c lic k o n t h e t r e e v ie w a n d c h o o s e t h e o p t io n s ) . C u r r e n t ly , P a r o s h a s t h e f o llo w in g c h e c k s : H T T P P U T a llo w e d c h e c k if t h e P U T o p t io n is e n a b le d a t s e r v e r d ir e c t o r ie s D ir e c t o r y in d e x a b le c h e c k if th e s e r v e r d ir e c t o r ie s c a n b e b r o w s a b le . O b s o le t e f ile s e x is t e d c h e c k if t h e r e e x is t s o b s o le t e f ile s a t C r o s s s it e s c r ip t in g c h e c k if c r o s s s it e s c r ip t in g ( X S S ) is a llo w e d o n th e q u e r y p a r a m e t e r s D e fa u lt file s o n w e b s p h e r e s e r v e r c h e c k if d e f a u lt f ile s e x is t e d o n w e b s p h e r e s e r v e r No t e t h a t a l l t h e a b o v e c h e c k s a r e b a s e d o n t h e U R L s i n t h e w e b s i t e h ie r a r c h y . T h a t m e a n s t h e s c a n n e r w ill c h e c k e a c h U R L f o r e a c h v u ln e r a b ilit y . P a r o s c a n a ls o s a v e a n d r e lo a d s e s s io n s . T h is is a g r e a t t o o l if y o u n e e d t o d o e x p lo r a t io n a t o n e p o in t t h e n la t e r d o a n a ly s is , o r if y o u w a n t t o c o m p a r e t w o s c a n 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 5
PAROS proxy tool s e s s io n s . P a r o s a ls o a llo w s y o u t o s a v e a ll t h e r e p o r t s it p r o d u c e s fo r la t e r e x a m in a t io n o r in c lu s io n in a b r o a d e r a n a ly s is r e p o r t . Sc an n i n g Po l i c y I nfor m ati on g ath er i ng " O b s o le t e f ile " lo o k s fo r b a c k u p c o p ie s o f k n o w n f ile s o f t h e s e r v e r . " P r iv a t e I P d is c lo s u r e " lo o k s f o r r e f e r e n c e s t o in t e r n a l I P a d d r e s s e s w it h in t h e p a g e s a s w e ll a s in e r r o r m e s s a g e s . " S e s s io n I D in U R L r e w r it e " " O b s o le t e f ile e x t e n d e d c h e c k " Cli ent br ow ser " P a s s w o r d A u t o c o m p le t e in b r o w s e r " lo o k s fo r p a s s w o r d f ie ld s w h ic h a llo w s t h e m to b e s a v e d in t h e b r o w s e r . " S e c u r e p a g e b r o w s e r c a c h e " lo o k s f o r s e c u r e ( h t t p s ) p a g e s w h ic h a llo w s t h e m s e lv e s t o b e s t o r e d in t h e b r o w s e r c a c h e . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 6
PAROS proxy tool S er v er sec u r i ty " D ir e c t o r y b r o w s in g " lo o k s f o r d ir e c t o r ie s w h ic h d is c lo s e s t h e f ile s in s id e it . " I I S d e f a u lt f ile " lo o k s f o r d e f a u lt I I S ( I n t e r n e t I n f o r m a t io n S e r v ic e ) f ile s . " C o ld F u s io n d e f a u lt f ile " lo o k s f o r d e f a u lt C o ld F u s io n f ile s . " M a c r o m e d ia J R u n d e f a u lt f ile s " lo o k s f o r d e f a u lt M a c r o m e d ia J R u n f ile s . " T o m c a t s o u r c e f ile d is c lo s u r e " " B E A W e b L o g ic e x a m p le f ile s " lo o k s f o r d e f a u lt B E A W e b L o g ic f ile s . " I B M W e b S p h e r e d e f a u lt f ile s " lo o k s f o r d e f a u lt I B M W e b S p h e r e f ile s . " L o t u s D o m in o d e f a u lt f ile s " lo o k s f o r d e f a u lt L o t u s D o m in o f ile s . M i sc ellaneou s T h e r e a r e n o s e t t in g s u n d e r t h is t a b . . . I nj ec ti on " S Q L I n j e c t io n F in g e r p r in t in g " s e n d s c o m m o n S Q L in j e c t io n s t r in g s in t o in p u t f ie ld s a n d lo o k s f o r r e s p o n s e s t h a t m a t c h S Q L e r r o r m e s s a g e s . " C R L F in je c t io n " " S e r v e r s id e in c lu d e " " C r o s s s it e s c r ip t in g " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e . " C r o s s s it e s c r ip t in g w it h o u t b r a c k e t s " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e , e x c e p t it d o e s n 't in j e c t t h e " < " a n d " > " b r a c k e t s in t h e t e s t s t r in g s . " P a r a m e t e r t a m p e r in g " " S Q L I n j e c t io n " " M S S Q L I n je c t io n E n u m e r a t io n " 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 7
PAROS proxy tool C o n c l usi o n P a r o s is a w o n d e r f u l t o o l a n d s h o u ld d e f in it e ly b e f a m ilia r t o a n y w e b a p p lic a t io n s e c u r it y p r o fe s s io n a l. H o w e v e r , P a r o s c a p a b ilit ie s e x t e n d b e y o n d s e c u r it y a n d a r g u e f o r it 's u s e b y w e b d e v e lo p e r s a s w e ll. P a r o s c a n e a s ily m a n g le r e q u e s t s , b u t it a ls o d o e s a w o n d e r f u l j o b o f in s p e c t in g H T T P t r a f f ic a n d id e n t if y in g p r o b le m s . P a r o s is a n e x c e lle n t t o o l fo r t r a c k in g d o w n t h e c a u s e o f a w e b s e r v e r in f in it e r e d ir e c t lo o p , o r a c o o k ie m is c o n f ig u r a t io n , o r o t h e r e lu s iv e p r o b le m t h a t c a n d r iv e y o u m a d if y o u 'r e o n ly a r m e d w it h a w e b b r o w s e r . O f c o u r s e , t h e s a m e e a s e w it h w h ic h P a r o s c a n e x a m in e a n d m a n ip u la t e le g it im a t e t r a f f ic a llo w s p e n e t r a t io n t e s t e r s t o u s e P a r o s t o m a n ip u la t e tr a f f ic in m a lic io u s w a y s . P a r o s is a g r e a t t o o l f o r b lin d p e n e t r a t io n t e s t in g o r d e v e lo p in g p r o o f o f c o n c e p t w e b a p p lic a t io n e x p lo it s . P a r o s ' c r o s s p la t fo r m n a tu r e a ls o a r g u e s f o r it s v a lu e . L e a r n in g t o u s e P a r o s d o e s n 't t ie y o u to a n y p a r t ic u la r o p e r a t in g s y s te m o r p la t f o r m . P a r o s c a n b e u s e d in c o n ju n c t io n w it h a n y b r o w s e r , a n d w o r k s g r e a t a lo n g w it h F ir e f o x a n d p lu g in s lik e T a m p e r D a ta o r w e b d e v e lo p e r .O v e r a ll I fin d P a r o s is o n e o f t h o s e e a s y t o o ls I r e a c h fo r m o r e o ft e n o v e r t im e a n d I t h in k it w o u ld m a k e a v a lu a b le a d d it io n t o a n y w e b d e v e lo p e r o r a p p lic a t io n te s t e r s a r s e n a l. 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 8

More Related Content

PAROS proxy tool

  • 1. PAROS proxy tool Table of Contents PAROS Features: ............................................................................................................ 2 I n stal l i n g PAROS............................................................................................................ 2 C o n f i g uri n g Paro s Pro x y ................................................................................................. 5 U si n g PAROS ................................................................................................................. 8 Sp i d er w i th Paro s Pro x y ................................................................................................ 1 2 Sc an n i n g w i th Paro s Pro x y ........................................................................................... 1 4 Sc an n i n g Po l i c y ............................................................................................................ 1 6 C o n c l usi o n .................................................................................................................... 1 8 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼
  • 2. PAROS proxy tool P A R O S is a p r o g r a m fo r p e o p le w h o n e e d t o e v a lu a t e t h e s e c u r it y o f t h e ir w e b a p p lic a t io n s . I t is fr e e o f c h a r g e a n d c o m p le t e ly w r it t e n in J a v a . T h r o u g h P a r o s 's p r o x y n a tu r e , a ll H T T P a n d H T T P S d a ta b e t w e e n s e r v e r a n d c lie n t , in c lu d in g c o o k ie s a n d fo r m f ie ld s , c a n b e in t e r c e p t e d a n d m o d if ie d . D o w n lo a d P A R O S : h t t p : / / w w w . p a r o s p r o x y . o r g / d o w n lo a d . s h t m l PAROS Features: P a r o s ' p r o x y fe a t u r e is in v a lu a b le f o r in s p e c t in g t r a ffic a s it c o m e s t o a n d fr o m y o u r b r o w s e r . T h is a llo w s y o u t o in v e s t ig a te t h in g s lik e h o w c o o k ie s a r e s e t, r e d ir e c t s b e in g is s u e d t o a b r o w s e r , a n d q u e r ie s s e n t fr o m th e b r o w s e r to t h e s e r v e r . W h ile P a r o s in c lu d e s s o m e a u to m a t e d s c a n n in g t o o ls , t h e s e a r e r a th e r w e a k a n d P a r o s r e a lly s h o w s it s s t r e n g t h in t h e h a n d s o f a s k ille d p e n e t r a t io n te s te r w h o k n o w s w h a t t o lo o k f o r . W e w ill s e e h o w t o u s e a ll th e f e a t u r e s a v a ila b le in P A R O S in t h is d o c u m e n t. I n stal l i n g PAROS E n s u r e J a v a R u n T im e E n v ir o n m e n t ( J R E ) 1 . 4 ( o r a b o v e ) w a s in s t a lle d . O n c e y o u h a v e J a v a R u n T im e E n v ir o n m e n t in s t a lle d y o u s t a r t t h e in s t a lla t io n b y e x e c u t in g t h e in s t a lla t io n f ile y o u d o w n lo a d e d f r o m t h e P a r o s P r o x y w e b s it e . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 2
  • 3. PAROS proxy tool T h e f ir s t s c r e e n o f t h e in s t a lle r is t h e w e lc o m e s c r e e n w h ic h le t s y o u k n o w th a t y o u a r e a b o u t t o i n s t a l l P a r o s P r o x y . C l i c k " Ne x t " t o c o n t i n u e . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 3
  • 4. PAROS proxy tool Y o u h a v e n o w in s t a lle d P a r o s P r o x y . C lic k " F in is h " t o e x it t h e in s t a lle r . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 4
  • 5. PAROS proxy tool C o n f i g uri n g Paro s Pro x y S ta r t th e P A R O S p r o x y t o o l. G o t o T o o ls o p t io n s T h e lo c a l p r o x y s e t t in g s c o n t r o ls w h a t a d d r e s s a n d p o r t it s h o u ld lis t e n o n f o r in c o m in g c o n n e c t io n s . R e m e m b e r t o c o n fig u r e y o u r w e b b r o w s e r t o m a tc h t h e s e s e t t in g s . S o , n o w t h a t P a r o s is r u n n in g le t 's s e t u p o u r b r o w s e r t o u t iliz e P a r o s a s a p r o x y . P a r o s , b y d e fa u lt , lis t e n s o n p o r t 8 0 8 0 fo r p r o x y c o n n e c t io n s . I n t h is e x a m p le w e 'r e g o in g t o c o n f ig u r e F ir e f o x 3 t o u t iliz e P a r o s a s a p r o x y . T o d o t h is w e g o t o t h e 'T o o ls ' m e n u a n d s e le c t 'O p t io n s ' . Ne x t y o u w a n t to c lic k o n t h e 'A d v a n c e d ' ic o n a n d s e le c t th e ' Ne t w o r k ' t a b : 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 5
  • 6. PAROS proxy tool No w c l i c k o n t h e ' S e t t i n g s ' b u t t o n i n t h e ' C o n n e c t i o n ' f r a m e . T h i s w i l l b r i n g u p a n e w w in d o w t it le d 'C o n n e c t io n S e t t in g s '. Y o u w a n t t o s e le c t 'M a n u a l p r o x y c o n f ig u r a t io n ' a n d s e t y o u r p r o x y t o 'lo c a lh o s t ' o n p o r t 8 0 8 0 : 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 6
  • 7. PAROS proxy tool C l i c k ' O K ' t o c l o s e a l l t h e w i n d o w s . No w y o u ' l l n o t i c e t h a t w h e n e v e r y o u b r o w s P a r o s ' b la n k in t e r f a c e w ill b e g in t o f ill u p w it h in f o r m a t io n . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 7
  • 8. PAROS proxy tool U si n g PAROS T h e m a in in t e r fa c e is d iv id e d in t o 3 s e c t io n s 1 . O n th e t o p -l e f t y o u h a v e t h e s i t e s / d i r e c t o r y / p a g e t r e e v i e w . A s y o u b r o w s e p a g e s y o u w ill n o t ic e t h a t m o r e a n d m o r e it e m s a r e a d d e d t o t h is s e c t io n . 2 . O n th e t o p -r i g h t y o u h a v e t h e s e c t i o n t h a t a l l o w s y o u t o i n s p e c t , in t e r c e p t a n d m o d ify t h e s e n t a n d r e c e iv e d d a t a . 3 . O n th e b o t t o m y o u h a v e t h e r e q u e s t / r e s p o n s e h is t o r y o f a n y r e q u e s t b e in g m a d e w h ile u s in g P a r o s . P le a s e n o t e t h a t b y d e f a u lt im a g e r e q u e s t s a r e n o t b e in g d is p la y e d in t h e h is t o r y v ie w . I t a ls o c o n t a in t h e S p id e r r e s u lt s , a n y a le r t s f r o m v a r io u s f ilt e r s a n d f in a lly t h e o u t p u t o f t h e a le r t e d p a g e . No w a c c e s s y o u r w e b s it e ( w h ic h y o u w a n t t o t e s t ) 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 8
  • 9. PAROS proxy tool W h e n y o u w a n t t o in t e r c e p t r e q u e s t s y o u ju s t g o t o t h e " T r a p " t a b a n d c h e c k t h e " T r a p r e q u e s t " c h e c k b o x ( a n d if y o u w a n t t o in t e r c e p t r e s p o n s e s f r o m t h e s e r v e r y o u c h e c k th e " T r a p r e s p o n s e " c h e c k b o x ) . G E T r e q u e s t s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r f a c e , w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o t h e r d a t a a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . P O S T r e q u e s t s a r e d is p la y e d in b o t h th e h e a d e r a n d t h e b o d y s e c t io n o f t h e in t e r fa c e , b o th w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o th e r d a ta a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . C o o k ie s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r fa c e , w h ic h is m o d if ia b le . J u s t m o d ify th e c o o k ie d e t a ils a n d c lic k " C o n t in u e " t o s e n d th e m o d ifie d r e q u e s t t o t h e s e r v e r . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 9
  • 10. PAROS proxy tool L e t ' s s a y I w a n t t o r e -s u b m i t t h e f o r m b u t t r y s o m e o t h e r v a l u e s . T o d o t h is I d o n 't e v e n n e e d t o le a v e P a r o s . I c a n s im p ly r ig h t c lic k t h e r o w in t h e b o t t o m fr a m e a n d s e le c t 'R e s e n d ': 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 0
  • 11. PAROS proxy tool S e le c t in g t h is o p t io n b r in g s u p a n e w b o x t h a t s u m m a r iz e s a ll t h e d a t a th a t is g o in g to b e s e n t o n t h e f o r m s u b m is s io n . T h e n ic e th in g a b o u t t h is s u m m a r y d a ta is t h a t it c a n b e m a n ip u la t e d b e f o r e w e s e n d it . C h a n g e th e p a r a m e t e r s y o u w a n t t o te s t a n d s e n d t h e r e q u e s t . Y o u 'll n o t ic e th a t t h e p o p u p w in d o w s w it c h e s o v e r to t h e 'R e s p o n s e ' t a b w h ic h in c lu d e s n o t o n ly t h e h e a d e r d a t a fr o m th e fo r m r e q u e s t , b u t a ls o t h e H T M L t h a t y o u g e t b a c k . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 1
  • 12. PAROS proxy tool U s in g P a r o s w e c a n e x a m in e c o o k ie s , f o r m f ie ld s a n d o t h e r d a t a , a n d m o d ify t h a t d a ta o n t h e fly a n d r e s u b m it it . T h is is w o n d e r f u l f o r d o in g t h in g s lik e t e s t in g f o r X S S o r S Q L in j e c t io n v u ln e r a b ilit ie s in h a r d t o r e a c h a r e a s o f H T T P c o m m u n ic a t io n s lik e c o o k ie s o r H T T P h e a d e r s . Sp i d er w i th Paro s Pro x y S p id e r is u s e d to c r a w l t h e w e b s it e s a n d g a t h e r a s m a n y U R L lin k s a s p o s s ib le . T h is a llo w s y o u t o h a v e a b e t t e r u n d e r s t a n d in g o f t h e w e b s it e h ie r a r c h y t r e e in a s h o r t t im e b e fo r e m a n u a l n a v ig a t io n . C u r r e n t ly , t h e " S p id e r " f u n c t io n is in b e t a v e r s io n . I t s fu n c t io n a lit ie s in c lu d e : 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 2
  • 13. PAROS proxy tool C r a w l H T T P a n d H T T P S w e b s it e s b a s e d o n g iv e n U R L , e .g . h t tp : / / w w w .e x a m p le . c o m o r h t t p s : / / w w w . e x a m p le . c o m S u p p o r t c o o k ie S u p p o r t p r o x y c h a in in g , w h ic h is s e t a t t h e < P r o x y C h a in > f ie ld in O p t io n t a b ( b u t s e t t in g t h e < S k ip > fie ld h a s n o t e ff e c t o n t h e s p id e r ) A u to m a t ic a lly a d d U R L lin k s t o t h e w e b s it e h ie r a r c h y t r e e f o r la t e r s c a n n in g . A s it is j u s t a s im p le s p id e r , it h a s t h e f o llo w in g lim it a t io n s : S S L w e b s it e s w it h in v a lid c e r t if ic a t e c a n n o t b e c r a w le d M u t i t h r e a d in g n o t s u p p o r t e d S o m e m a lf o r m e d U R L s in H T M L p a g e s c a n n o t b e r e c o g n iz e d A ls o , U R L s g e n e r a t e d b y J a v a s c r ip t c a n n o t b e f o u n d u s in g t h is s p id e r . T h o s e U R L s , h o w e v e r , c a n b e f o u n d a n d a d d e d t o t h e h ie r a r c h y t r e e t h r o u g h m a n u a l n a v ig a t io n . F ir s t s e le c t t h e s it e fr o m th e le f t p a n e l ( s it e s ) [ s it e s h o u ld a lr e a d y b r o w s e d fr o m b r o w s e r ] G o t o A n a ly s e s p id e r 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 3
  • 14. PAROS proxy tool Sc an n i n g w i th Paro s Pro x y T h e s c a n n e r f u n c t io n is t o s c a n th e s e r v e r b a s e d o n t h e w e b s it e h ie r a r c h y ( t h e tr e e o n t h e le ft p a n e l) . I t c a n c h e c k if t h e r e is a n y s e r v e r m is c o n fig u r a t io n . A u t o m a t ic w e b s c a n n e r m a y n o t b e a b le t o f in d o u t th e p a t h s a n d c h e c k if t h e r e e x is t s a n y b a c k u p f ile s ( . b a k ) w h ic h c o u ld e x p o s e s e r v e r in fo r m a t io n . I n o r d e r to u s e th is fu n c t io n , y o u n e e d t o n a v ig a te t h e w e b s it e fir s t . A fte r y o u lo g o n a w e b s it e a n d n a v ig a t e it , a w e b s it e h ie r a r c h y tr e e w ill b e b u ilt b y P a r o s a u to m a t ic a lly . T h e n y o u c a n d o t h e fo llo w in g t h in g s : I f y o u w a n t t o s c a n a ll w e b s it e s o n t h e t r e e , y o u c a n th e n c lic k o n th e m e n u it e m " T r e e " " S c a n A ll" t o t r ig g e r t h e s c a n n in g . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 4
  • 15. PAROS proxy tool I f y o u j u s t w a n t t o s c a n o n e w e b s it e o n t h e t r e e , y o u c a n c lic k o n t h a t s it e in t h e t r e e p a n e l a n d c l i c k m e n u i t e m " T r e e " " S c a n s e l e c t e d No d e " ( Y o u c a n a ls o r ig h t c lic k o n t h e t r e e v ie w a n d c h o o s e t h e o p t io n s ) . C u r r e n t ly , P a r o s h a s t h e f o llo w in g c h e c k s : H T T P P U T a llo w e d c h e c k if t h e P U T o p t io n is e n a b le d a t s e r v e r d ir e c t o r ie s D ir e c t o r y in d e x a b le c h e c k if th e s e r v e r d ir e c t o r ie s c a n b e b r o w s a b le . O b s o le t e f ile s e x is t e d c h e c k if t h e r e e x is t s o b s o le t e f ile s a t C r o s s s it e s c r ip t in g c h e c k if c r o s s s it e s c r ip t in g ( X S S ) is a llo w e d o n th e q u e r y p a r a m e t e r s D e fa u lt file s o n w e b s p h e r e s e r v e r c h e c k if d e f a u lt f ile s e x is t e d o n w e b s p h e r e s e r v e r No t e t h a t a l l t h e a b o v e c h e c k s a r e b a s e d o n t h e U R L s i n t h e w e b s i t e h ie r a r c h y . T h a t m e a n s t h e s c a n n e r w ill c h e c k e a c h U R L f o r e a c h v u ln e r a b ilit y . P a r o s c a n a ls o s a v e a n d r e lo a d s e s s io n s . T h is is a g r e a t t o o l if y o u n e e d t o d o e x p lo r a t io n a t o n e p o in t t h e n la t e r d o a n a ly s is , o r if y o u w a n t t o c o m p a r e t w o s c a n 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 5
  • 16. PAROS proxy tool s e s s io n s . P a r o s a ls o a llo w s y o u t o s a v e a ll t h e r e p o r t s it p r o d u c e s fo r la t e r e x a m in a t io n o r in c lu s io n in a b r o a d e r a n a ly s is r e p o r t . Sc an n i n g Po l i c y I nfor m ati on g ath er i ng " O b s o le t e f ile " lo o k s fo r b a c k u p c o p ie s o f k n o w n f ile s o f t h e s e r v e r . " P r iv a t e I P d is c lo s u r e " lo o k s f o r r e f e r e n c e s t o in t e r n a l I P a d d r e s s e s w it h in t h e p a g e s a s w e ll a s in e r r o r m e s s a g e s . " S e s s io n I D in U R L r e w r it e " " O b s o le t e f ile e x t e n d e d c h e c k " Cli ent br ow ser " P a s s w o r d A u t o c o m p le t e in b r o w s e r " lo o k s fo r p a s s w o r d f ie ld s w h ic h a llo w s t h e m to b e s a v e d in t h e b r o w s e r . " S e c u r e p a g e b r o w s e r c a c h e " lo o k s f o r s e c u r e ( h t t p s ) p a g e s w h ic h a llo w s t h e m s e lv e s t o b e s t o r e d in t h e b r o w s e r c a c h e . 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 6
  • 17. PAROS proxy tool S er v er sec u r i ty " D ir e c t o r y b r o w s in g " lo o k s f o r d ir e c t o r ie s w h ic h d is c lo s e s t h e f ile s in s id e it . " I I S d e f a u lt f ile " lo o k s f o r d e f a u lt I I S ( I n t e r n e t I n f o r m a t io n S e r v ic e ) f ile s . " C o ld F u s io n d e f a u lt f ile " lo o k s f o r d e f a u lt C o ld F u s io n f ile s . " M a c r o m e d ia J R u n d e f a u lt f ile s " lo o k s f o r d e f a u lt M a c r o m e d ia J R u n f ile s . " T o m c a t s o u r c e f ile d is c lo s u r e " " B E A W e b L o g ic e x a m p le f ile s " lo o k s f o r d e f a u lt B E A W e b L o g ic f ile s . " I B M W e b S p h e r e d e f a u lt f ile s " lo o k s f o r d e f a u lt I B M W e b S p h e r e f ile s . " L o t u s D o m in o d e f a u lt f ile s " lo o k s f o r d e f a u lt L o t u s D o m in o f ile s . M i sc ellaneou s T h e r e a r e n o s e t t in g s u n d e r t h is t a b . . . I nj ec ti on " S Q L I n j e c t io n F in g e r p r in t in g " s e n d s c o m m o n S Q L in j e c t io n s t r in g s in t o in p u t f ie ld s a n d lo o k s f o r r e s p o n s e s t h a t m a t c h S Q L e r r o r m e s s a g e s . " C R L F in je c t io n " " S e r v e r s id e in c lu d e " " C r o s s s it e s c r ip t in g " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e . " C r o s s s it e s c r ip t in g w it h o u t b r a c k e t s " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e , e x c e p t it d o e s n 't in j e c t t h e " < " a n d " > " b r a c k e t s in t h e t e s t s t r in g s . " P a r a m e t e r t a m p e r in g " " S Q L I n j e c t io n " " M S S Q L I n je c t io n E n u m e r a t io n " 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 7
  • 18. PAROS proxy tool C o n c l usi o n P a r o s is a w o n d e r f u l t o o l a n d s h o u ld d e f in it e ly b e f a m ilia r t o a n y w e b a p p lic a t io n s e c u r it y p r o fe s s io n a l. H o w e v e r , P a r o s c a p a b ilit ie s e x t e n d b e y o n d s e c u r it y a n d a r g u e f o r it 's u s e b y w e b d e v e lo p e r s a s w e ll. P a r o s c a n e a s ily m a n g le r e q u e s t s , b u t it a ls o d o e s a w o n d e r f u l j o b o f in s p e c t in g H T T P t r a f f ic a n d id e n t if y in g p r o b le m s . P a r o s is a n e x c e lle n t t o o l fo r t r a c k in g d o w n t h e c a u s e o f a w e b s e r v e r in f in it e r e d ir e c t lo o p , o r a c o o k ie m is c o n f ig u r a t io n , o r o t h e r e lu s iv e p r o b le m t h a t c a n d r iv e y o u m a d if y o u 'r e o n ly a r m e d w it h a w e b b r o w s e r . O f c o u r s e , t h e s a m e e a s e w it h w h ic h P a r o s c a n e x a m in e a n d m a n ip u la t e le g it im a t e t r a f f ic a llo w s p e n e t r a t io n t e s t e r s t o u s e P a r o s t o m a n ip u la t e tr a f f ic in m a lic io u s w a y s . P a r o s is a g r e a t t o o l f o r b lin d p e n e t r a t io n t e s t in g o r d e v e lo p in g p r o o f o f c o n c e p t w e b a p p lic a t io n e x p lo it s . P a r o s ' c r o s s p la t fo r m n a tu r e a ls o a r g u e s f o r it s v a lu e . L e a r n in g t o u s e P a r o s d o e s n 't t ie y o u to a n y p a r t ic u la r o p e r a t in g s y s te m o r p la t f o r m . P a r o s c a n b e u s e d in c o n ju n c t io n w it h a n y b r o w s e r , a n d w o r k s g r e a t a lo n g w it h F ir e f o x a n d p lu g in s lik e T a m p e r D a ta o r w e b d e v e lo p e r .O v e r a ll I fin d P a r o s is o n e o f t h o s e e a s y t o o ls I r e a c h fo r m o r e o ft e n o v e r t im e a n d I t h in k it w o u ld m a k e a v a lu a b le a d d it io n t o a n y w e b d e v e lo p e r o r a p p lic a t io n te s t e r s a r s e n a l. 貼≠ ≠ 貼 ‥ ≠ ‥ ≠ 貼 1 8