SlideShare une entreprise Scribd logo

PAROS proxy tool

Joseph ...
Joseph ...

PAROS proxy tool - A tool check your web application security

Technologie
1  sur  18
PAROS proxy tool Table of Contents PAROS Features: ............................................................................................................ 2 I n stal l i n g PAROS............................................................................................................ 2 C o n f i g uri n g Paro s Pro x y ................................................................................................. 5 U si n g PAROS ................................................................................................................. 8 Sp i d er w i th Paro s Pro x y ................................................................................................ 1 2 Sc an n i n g w i th Paro s Pro x y ........................................................................................... 1 4 Sc an n i n g Po l i c y ............................................................................................................ 1 6 C o n c l usi o n .................................................................................................................... 1 8 ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹ 
PAROS proxy tool P A R O S is a p r o g r a m fo r p e o p le w h o n e e d t o e v a lu a t e t h e s e c u r it y o f t h e ir w e b a p p lic a t io n s . I t is fr e e o f c h a r g e a n d c o m p le t e ly w r it t e n in J a v a . T h r o u g h P a r o s 's p r o x y n a tu r e , a ll H T T P a n d H T T P S d a ta b e t w e e n s e r v e r a n d c lie n t , in c lu d in g c o o k ie s a n d fo r m f ie ld s , c a n b e in t e r c e p t e d a n d m o d if ie d . D o w n lo a d P A R O S : h t t p : / / w w w . p a r o s p r o x y . o r g / d o w n lo a d . s h t m l PAROS Features: P a r o s ' p r o x y fe a t u r e is in v a lu a b le f o r in s p e c t in g t r a ffic a s it c o m e s t o a n d fr o m y o u r b r o w s e r . T h is a llo w s y o u t o in v e s t ig a te t h in g s lik e h o w c o o k ie s a r e s e t, r e d ir e c t s b e in g is s u e d t o a b r o w s e r , a n d q u e r ie s s e n t fr o m th e b r o w s e r to t h e s e r v e r . W h ile P a r o s in c lu d e s s o m e a u to m a t e d s c a n n in g t o o ls , t h e s e a r e r a th e r w e a k a n d P a r o s r e a lly s h o w s it s s t r e n g t h in t h e h a n d s o f a s k ille d p e n e t r a t io n te s te r w h o k n o w s w h a t t o lo o k f o r . W e w ill s e e h o w t o u s e a ll th e f e a t u r e s a v a ila b le in P A R O S in t h is d o c u m e n t. I n stal l i n g PAROS E n s u r e J a v a R u n T im e E n v ir o n m e n t ( J R E ) 1 . 4 ( o r a b o v e ) w a s in s t a lle d . O n c e y o u h a v e J a v a R u n T im e E n v ir o n m e n t in s t a lle d y o u s t a r t t h e in s t a lla t io n b y e x e c u t in g t h e in s t a lla t io n f ile y o u d o w n lo a d e d f r o m t h e P a r o s P r o x y w e b s it e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  2
PAROS proxy tool T h e f ir s t s c r e e n o f t h e in s t a lle r is t h e w e lc o m e s c r e e n w h ic h le t s y o u k n o w th a t y o u a r e a b o u t t o i n s t a l l P a r o s P r o x y . C l i c k " Ne x t " t o c o n t i n u e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  3
PAROS proxy tool Y o u h a v e n o w in s t a lle d P a r o s P r o x y . C lic k " F in is h " t o e x it t h e in s t a lle r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  4
PAROS proxy tool C o n f i g uri n g Paro s Pro x y S ta r t th e P A R O S p r o x y t o o l. G o t o T o o ls o p t io n s T h e lo c a l p r o x y s e t t in g s c o n t r o ls w h a t a d d r e s s a n d p o r t it s h o u ld lis t e n o n f o r in c o m in g c o n n e c t io n s . R e m e m b e r t o c o n fig u r e y o u r w e b b r o w s e r t o m a tc h t h e s e s e t t in g s . S o , n o w t h a t P a r o s is r u n n in g le t 's s e t u p o u r b r o w s e r t o u t iliz e P a r o s a s a p r o x y . P a r o s , b y d e fa u lt , lis t e n s o n p o r t 8 0 8 0 fo r p r o x y c o n n e c t io n s . I n t h is e x a m p le w e 'r e g o in g t o c o n f ig u r e F ir e f o x 3 t o u t iliz e P a r o s a s a p r o x y . T o d o t h is w e g o t o t h e 'T o o ls ' m e n u a n d s e le c t 'O p t io n s ' . Ne x t y o u w a n t to c lic k o n t h e 'A d v a n c e d ' ic o n a n d s e le c t th e ' Ne t w o r k ' t a b : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  5
PAROS proxy tool No w c l i c k o n t h e ' S e t t i n g s ' b u t t o n i n t h e ' C o n n e c t i o n ' f r a m e . T h i s w i l l b r i n g u p a n e w w in d o w t it le d 'C o n n e c t io n S e t t in g s '. Y o u w a n t t o s e le c t 'M a n u a l p r o x y c o n f ig u r a t io n ' a n d s e t y o u r p r o x y t o 'lo c a lh o s t ' o n p o r t 8 0 8 0 : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  6
PAROS proxy tool C l i c k ' O K ' t o c l o s e a l l t h e w i n d o w s . No w y o u ' l l n o t i c e t h a t w h e n e v e r y o u b r o w s P a r o s ' b la n k in t e r f a c e w ill b e g in t o f ill u p w it h in f o r m a t io n . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  7
PAROS proxy tool U si n g PAROS T h e m a in in t e r fa c e is d iv id e d in t o 3 s e c t io n s 1 . O n th e t o p -l e f t y o u h a v e t h e s i t e s / d i r e c t o r y / p a g e t r e e v i e w . A s y o u b r o w s e p a g e s y o u w ill n o t ic e t h a t m o r e a n d m o r e it e m s a r e a d d e d t o t h is s e c t io n . 2 . O n th e t o p -r i g h t y o u h a v e t h e s e c t i o n t h a t a l l o w s y o u t o i n s p e c t , in t e r c e p t a n d m o d ify t h e s e n t a n d r e c e iv e d d a t a . 3 . O n th e b o t t o m y o u h a v e t h e r e q u e s t / r e s p o n s e h is t o r y o f a n y r e q u e s t b e in g m a d e w h ile u s in g P a r o s . P le a s e n o t e t h a t b y d e f a u lt im a g e r e q u e s t s a r e n o t b e in g d is p la y e d in t h e h is t o r y v ie w . I t a ls o c o n t a in t h e S p id e r r e s u lt s , a n y a le r t s f r o m v a r io u s f ilt e r s a n d f in a lly t h e o u t p u t o f t h e a le r t e d p a g e . No w a c c e s s y o u r w e b s it e ( w h ic h y o u w a n t t o t e s t ) ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  8
PAROS proxy tool W h e n y o u w a n t t o in t e r c e p t r e q u e s t s y o u ju s t g o t o t h e " T r a p " t a b a n d c h e c k t h e " T r a p r e q u e s t " c h e c k b o x ( a n d if y o u w a n t t o in t e r c e p t r e s p o n s e s f r o m t h e s e r v e r y o u c h e c k th e " T r a p r e s p o n s e " c h e c k b o x ) . G E T r e q u e s t s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r f a c e , w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o t h e r d a t a a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . P O S T r e q u e s t s a r e d is p la y e d in b o t h th e h e a d e r a n d t h e b o d y s e c t io n o f t h e in t e r fa c e , b o th w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o th e r d a ta a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . C o o k ie s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r fa c e , w h ic h is m o d if ia b le . J u s t m o d ify th e c o o k ie d e t a ils a n d c lic k " C o n t in u e " t o s e n d th e m o d ifie d r e q u e s t t o t h e s e r v e r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  9
PAROS proxy tool L e t ' s s a y I w a n t t o r e -s u b m i t t h e f o r m b u t t r y s o m e o t h e r v a l u e s . T o d o t h is I d o n 't e v e n n e e d t o le a v e P a r o s . I c a n s im p ly r ig h t c lic k t h e r o w in t h e b o t t o m fr a m e a n d s e le c t 'R e s e n d ': ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 0
PAROS proxy tool S e le c t in g t h is o p t io n b r in g s u p a n e w b o x t h a t s u m m a r iz e s a ll t h e d a t a th a t is g o in g to b e s e n t o n t h e f o r m s u b m is s io n . T h e n ic e th in g a b o u t t h is s u m m a r y d a ta is t h a t it c a n b e m a n ip u la t e d b e f o r e w e s e n d it . C h a n g e th e p a r a m e t e r s y o u w a n t t o te s t a n d s e n d t h e r e q u e s t . Y o u 'll n o t ic e th a t t h e p o p u p w in d o w s w it c h e s o v e r to t h e 'R e s p o n s e ' t a b w h ic h in c lu d e s n o t o n ly t h e h e a d e r d a t a fr o m th e fo r m r e q u e s t , b u t a ls o t h e H T M L t h a t y o u g e t b a c k . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 1
PAROS proxy tool U s in g P a r o s w e c a n e x a m in e c o o k ie s , f o r m f ie ld s a n d o t h e r d a t a , a n d m o d ify t h a t d a ta o n t h e fly a n d r e s u b m it it . T h is is w o n d e r f u l f o r d o in g t h in g s lik e t e s t in g f o r X S S o r S Q L in j e c t io n v u ln e r a b ilit ie s in h a r d t o r e a c h a r e a s o f H T T P c o m m u n ic a t io n s lik e c o o k ie s o r H T T P h e a d e r s . Sp i d er w i th Paro s Pro x y S p id e r is u s e d to c r a w l t h e w e b s it e s a n d g a t h e r a s m a n y U R L lin k s a s p o s s ib le . T h is a llo w s y o u t o h a v e a b e t t e r u n d e r s t a n d in g o f t h e w e b s it e h ie r a r c h y t r e e in a s h o r t t im e b e fo r e m a n u a l n a v ig a t io n . C u r r e n t ly , t h e " S p id e r " f u n c t io n is in b e t a v e r s io n . I t s fu n c t io n a lit ie s in c lu d e : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 2
PAROS proxy tool • C r a w l H T T P a n d H T T P S w e b s it e s b a s e d o n g iv e n U R L , e .g . h t tp : / / w w w .e x a m p le . c o m o r h t t p s : / / w w w . e x a m p le . c o m • S u p p o r t c o o k ie • S u p p o r t p r o x y c h a in in g , w h ic h is s e t a t t h e < P r o x y C h a in > f ie ld in O p t io n t a b ( b u t s e t t in g t h e < S k ip > fie ld h a s n o t e ff e c t o n t h e s p id e r ) • A u to m a t ic a lly a d d U R L lin k s t o t h e w e b s it e h ie r a r c h y t r e e f o r la t e r s c a n n in g . A s it is j u s t a s im p le s p id e r , it h a s t h e f o llo w in g lim it a t io n s : • S S L w e b s it e s w it h in v a lid c e r t if ic a t e c a n n o t b e c r a w le d • M u t i− t h r e a d in g n o t s u p p o r t e d • S o m e ‘m a lf o r m e d ’ U R L s in H T M L p a g e s c a n n o t b e r e c o g n iz e d A ls o , U R L s g e n e r a t e d b y J a v a s c r ip t c a n n o t b e f o u n d u s in g t h is s p id e r . T h o s e U R L s , h o w e v e r , c a n b e f o u n d a n d a d d e d t o t h e h ie r a r c h y t r e e t h r o u g h m a n u a l n a v ig a t io n . F ir s t s e le c t t h e s it e fr o m th e le f t p a n e l ( s it e s ) [ s it e s h o u ld a lr e a d y b r o w s e d fr o m b r o w s e r ] G o t o A n a ly s e s p id e r ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 3
PAROS proxy tool Sc an n i n g w i th Paro s Pro x y T h e s c a n n e r f u n c t io n is t o s c a n th e s e r v e r b a s e d o n t h e w e b s it e h ie r a r c h y ( t h e tr e e o n t h e le ft p a n e l) . I t c a n c h e c k if t h e r e is a n y s e r v e r m is c o n fig u r a t io n . A u t o m a t ic w e b s c a n n e r m a y n o t b e a b le t o f in d o u t th e p a t h s a n d c h e c k if t h e r e e x is t s a n y b a c k u p f ile s ( . b a k ) w h ic h c o u ld e x p o s e s e r v e r in fo r m a t io n . I n o r d e r to u s e th is fu n c t io n , y o u n e e d t o n a v ig a te t h e w e b s it e fir s t . A fte r y o u lo g o n a w e b s it e a n d n a v ig a t e it , a w e b s it e h ie r a r c h y tr e e w ill b e b u ilt b y P a r o s a u to m a t ic a lly . T h e n y o u c a n d o t h e fo llo w in g t h in g s : • I f y o u w a n t t o s c a n a ll w e b s it e s o n t h e t r e e , y o u c a n th e n c lic k o n th e m e n u it e m " T r e e " → " S c a n A ll" t o t r ig g e r t h e s c a n n in g . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 4
PAROS proxy tool • I f y o u j u s t w a n t t o s c a n o n e w e b s it e o n t h e t r e e , y o u c a n c lic k o n t h a t s it e in t h e t r e e p a n e l a n d c l i c k m e n u i t e m " T r e e " → " S c a n s e l e c t e d No d e " ( Y o u c a n a ls o r ig h t − c lic k o n t h e t r e e v ie w a n d c h o o s e t h e o p t io n s ) . C u r r e n t ly , P a r o s h a s t h e f o llo w in g c h e c k s : • H T T P P U T a llo w e d − c h e c k if t h e P U T o p t io n is e n a b le d a t s e r v e r d ir e c t o r ie s • D ir e c t o r y in d e x a b le − c h e c k if th e s e r v e r d ir e c t o r ie s c a n b e b r o w s a b le . • O b s o le t e f ile s e x is t e d − c h e c k if t h e r e e x is t s o b s o le t e f ile s a t • C r o s s − s it e s c r ip t in g − c h e c k if c r o s s − s it e s c r ip t in g ( X S S ) is a llo w e d o n th e q u e r y p a r a m e t e r s • D e fa u lt file s o n w e b s p h e r e s e r v e r – c h e c k if d e f a u lt f ile s e x is t e d o n w e b s p h e r e s e r v e r No t e t h a t a l l t h e a b o v e c h e c k s a r e b a s e d o n t h e U R L s i n t h e w e b s i t e h ie r a r c h y . T h a t m e a n s t h e s c a n n e r w ill c h e c k e a c h U R L f o r e a c h v u ln e r a b ilit y . P a r o s c a n a ls o s a v e a n d r e lo a d s e s s io n s . T h is is a g r e a t t o o l if y o u n e e d t o d o e x p lo r a t io n a t o n e p o in t t h e n la t e r d o a n a ly s is , o r if y o u w a n t t o c o m p a r e t w o s c a n ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 5
PAROS proxy tool s e s s io n s . P a r o s a ls o a llo w s y o u t o s a v e a ll t h e r e p o r t s it p r o d u c e s fo r la t e r e x a m in a t io n o r in c lu s io n in a b r o a d e r a n a ly s is r e p o r t . Sc an n i n g Po l i c y I nfor m ati on g ath er i ng " O b s o le t e f ile " lo o k s fo r b a c k u p c o p ie s o f k n o w n f ile s o f t h e s e r v e r . " P r iv a t e I P d is c lo s u r e " lo o k s f o r r e f e r e n c e s t o in t e r n a l I P a d d r e s s e s w it h in t h e p a g e s a s w e ll a s in e r r o r m e s s a g e s . " S e s s io n I D in U R L r e w r it e " " O b s o le t e f ile e x t e n d e d c h e c k " Cli ent br ow ser " P a s s w o r d A u t o c o m p le t e in b r o w s e r " lo o k s fo r p a s s w o r d f ie ld s w h ic h a llo w s t h e m to b e s a v e d in t h e b r o w s e r . " S e c u r e p a g e b r o w s e r c a c h e " lo o k s f o r s e c u r e ( h t t p s ) p a g e s w h ic h a llo w s t h e m s e lv e s t o b e s t o r e d in t h e b r o w s e r c a c h e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 6
PAROS proxy tool S er v er sec u r i ty " D ir e c t o r y b r o w s in g " lo o k s f o r d ir e c t o r ie s w h ic h d is c lo s e s t h e f ile s in s id e it . " I I S d e f a u lt f ile " lo o k s f o r d e f a u lt I I S ( I n t e r n e t I n f o r m a t io n S e r v ic e ) f ile s . " C o ld F u s io n d e f a u lt f ile " lo o k s f o r d e f a u lt C o ld F u s io n f ile s . " M a c r o m e d ia J R u n d e f a u lt f ile s " lo o k s f o r d e f a u lt M a c r o m e d ia J R u n f ile s . " T o m c a t s o u r c e f ile d is c lo s u r e " " B E A W e b L o g ic e x a m p le f ile s " lo o k s f o r d e f a u lt B E A W e b L o g ic f ile s . " I B M W e b S p h e r e d e f a u lt f ile s " lo o k s f o r d e f a u lt I B M W e b S p h e r e f ile s . " L o t u s D o m in o d e f a u lt f ile s " lo o k s f o r d e f a u lt L o t u s D o m in o f ile s . M i sc ellaneou s T h e r e a r e n o s e t t in g s u n d e r t h is t a b . . . I nj ec ti on " S Q L I n j e c t io n F in g e r p r in t in g " s e n d s c o m m o n S Q L in j e c t io n s t r in g s in t o in p u t f ie ld s a n d lo o k s f o r r e s p o n s e s t h a t m a t c h S Q L e r r o r m e s s a g e s . " C R L F in je c t io n " " S e r v e r s id e in c lu d e " " C r o s s s it e s c r ip t in g " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e . " C r o s s s it e s c r ip t in g w it h o u t b r a c k e t s " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e , e x c e p t it d o e s n 't in j e c t t h e " < " a n d " > " b r a c k e t s in t h e t e s t s t r in g s . " P a r a m e t e r t a m p e r in g " " S Q L I n j e c t io n " " M S S Q L I n je c t io n E n u m e r a t io n " ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 7
PAROS proxy tool C o n c l usi o n P a r o s is a w o n d e r f u l t o o l a n d s h o u ld d e f in it e ly b e f a m ilia r t o a n y w e b a p p lic a t io n s e c u r it y p r o fe s s io n a l. H o w e v e r , P a r o s c a p a b ilit ie s e x t e n d b e y o n d s e c u r it y a n d a r g u e f o r it 's u s e b y w e b d e v e lo p e r s a s w e ll. P a r o s c a n e a s ily m a n g le r e q u e s t s , b u t it a ls o d o e s a w o n d e r f u l j o b o f in s p e c t in g H T T P t r a f f ic a n d id e n t if y in g p r o b le m s . P a r o s is a n e x c e lle n t t o o l fo r t r a c k in g d o w n t h e c a u s e o f a w e b s e r v e r in f in it e r e d ir e c t lo o p , o r a c o o k ie m is c o n f ig u r a t io n , o r o t h e r e lu s iv e p r o b le m t h a t c a n d r iv e y o u m a d if y o u 'r e o n ly a r m e d w it h a w e b b r o w s e r . O f c o u r s e , t h e s a m e e a s e w it h w h ic h P a r o s c a n e x a m in e a n d m a n ip u la t e le g it im a t e t r a f f ic a llo w s p e n e t r a t io n t e s t e r s t o u s e P a r o s t o m a n ip u la t e tr a f f ic in m a lic io u s w a y s . P a r o s is a g r e a t t o o l f o r b lin d p e n e t r a t io n t e s t in g o r d e v e lo p in g p r o o f o f c o n c e p t w e b a p p lic a t io n e x p lo it s . P a r o s ' c r o s s p la t fo r m n a tu r e a ls o a r g u e s f o r it s v a lu e . L e a r n in g t o u s e P a r o s d o e s n 't t ie y o u to a n y p a r t ic u la r o p e r a t in g s y s te m o r p la t f o r m . P a r o s c a n b e u s e d in c o n ju n c t io n w it h a n y b r o w s e r , a n d w o r k s g r e a t a lo n g w it h F ir e f o x a n d p lu g in s lik e T a m p e r D a ta o r w e b d e v e lo p e r .O v e r a ll I fin d P a r o s is o n e o f t h o s e e a s y t o o ls I r e a c h fo r m o r e o ft e n o v e r t im e a n d I t h in k it w o u ld m a k e a v a lu a b le a d d it io n t o a n y w e b d e v e lo p e r o r a p p lic a t io n te s t e r s a r s e n a l. ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 8

Recommandé

Logs = Accountability
Logs = AccountabilityLogs = Accountability
Logs = AccountabilityAnton Chuvakin
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Network monitoring tools
Network monitoring toolsNetwork monitoring tools
Network monitoring toolsChathurangi Shyalika
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Network monitoring tools
Network monitoring toolsNetwork monitoring tools
Network monitoring toolsQaswarBosan
 
Insider threat
Insider threatInsider threat
Insider threatARCON TECHSOLUTIONS
 
Live data collection_from_windows_system
Live data collection_from_windows_systemLive data collection_from_windows_system
Live data collection_from_windows_systemMaceni Muse
 
Configure and administer server
Configure and administer serverConfigure and administer server
Configure and administer serverAbenezer Abiti
 

Recommandé

Logs = Accountability
Logs = AccountabilityLogs = Accountability
Logs = AccountabilityAnton Chuvakin
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Network monitoring tools
Network monitoring toolsNetwork monitoring tools
Network monitoring toolsChathurangi Shyalika
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Network monitoring tools
Network monitoring toolsNetwork monitoring tools
Network monitoring toolsQaswarBosan
 
Insider threat
Insider threatInsider threat
Insider threatARCON TECHSOLUTIONS
 
Live data collection_from_windows_system
Live data collection_from_windows_systemLive data collection_from_windows_system
Live data collection_from_windows_systemMaceni Muse
 
Configure and administer server
Configure and administer serverConfigure and administer server
Configure and administer serverAbenezer Abiti
 
Network Forensic
Network ForensicNetwork Forensic
Network ForensicSujeet Kumar
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Jyothishmathi Institute of Technology and Science Karimnagar
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Network Intelligence India
 
Network Monitoring Tools
Network Monitoring ToolsNetwork Monitoring Tools
Network Monitoring ToolsPrince JabaKumar
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityNathan Desfontaines
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilitiesManish Chaurasia
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityAlchemist095
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInformation Technology
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1Sam Bowne
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Neguinho Suárez
 
Experiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9AExperiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9Auser1234
 

Contenu connexe

Tendances

Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityNathan Desfontaines
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilitiesManish Chaurasia
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityAlchemist095
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInformation Technology
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1Sam Bowne
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 

Tendances (20)

Network Forensic
Network ForensicNetwork Forensic
Network Forensic
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Initial Response and Forensic Duplication
Initial Response and Forensic Duplication Initial Response and Forensic Duplication
Initial Response and Forensic Duplication
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
 
Network Monitoring Tools
Network Monitoring ToolsNetwork Monitoring Tools
Network Monitoring Tools
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Incident response process
Incident response processIncident response process
Incident response process
 
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic securityLecture 4,5, 6 comp forensics 19 9-2018 basic security
Lecture 4,5, 6 comp forensics 19 9-2018 basic security
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 

En vedette

Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Neguinho Suárez
 
Experiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9AExperiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9Auser1234
 
Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)FRANCISCO PAVON RABASCO
 
eTwinning Calendar 2012
eTwinning Calendar 2012eTwinning Calendar 2012
eTwinning Calendar 2012user1234
 
Portuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, PortugalPortuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, Portugaluser1234
 
La higiene en la preparació dels aliments
La higiene en la preparació dels alimentsLa higiene en la preparació dels aliments
La higiene en la preparació dels alimentscguiu2
 
Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016Laura Hampton
 
Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?AS Media Column D
 
Trabajo de miki y èdro
Trabajo de miki y èdroTrabajo de miki y èdro
Trabajo de miki y èdroaggono
 
Clase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográficaClase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográficaUniversidad Libre
 

En vedette (15)

Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01
 
Experiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9AExperiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9A
 
Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)
 
eTwinning Calendar 2012
eTwinning Calendar 2012eTwinning Calendar 2012
eTwinning Calendar 2012
 
Portuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, PortugalPortuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, Portugal
 
La higiene en la preparació dels aliments
La higiene en la preparació dels alimentsLa higiene en la preparació dels aliments
La higiene en la preparació dels aliments
 
Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016
 
My Audience Profile
My Audience ProfileMy Audience Profile
My Audience Profile
 
Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?
 
Processor grafxtron
Processor grafxtronProcessor grafxtron
Processor grafxtron
 
Clase 3. alcantarillado sanitario
Clase 3. alcantarillado sanitarioClase 3. alcantarillado sanitario
Clase 3. alcantarillado sanitario
 
Trabajo de miki y èdro
Trabajo de miki y èdroTrabajo de miki y èdro
Trabajo de miki y èdro
 
El proceso de redaccion
El proceso de redaccionEl proceso de redaccion
El proceso de redaccion
 
Lectura de planos2
Lectura de planos2Lectura de planos2
Lectura de planos2
 
Clase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográficaClase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográfica
 

PAROS proxy tool

  • 1. PAROS proxy tool Table of Contents PAROS Features: ............................................................................................................ 2 I n stal l i n g PAROS............................................................................................................ 2 C o n f i g uri n g Paro s Pro x y ................................................................................................. 5 U si n g PAROS ................................................................................................................. 8 Sp i d er w i th Paro s Pro x y ................................................................................................ 1 2 Sc an n i n g w i th Paro s Pro x y ........................................................................................... 1 4 Sc an n i n g Po l i c y ............................................................................................................ 1 6 C o n c l usi o n .................................................................................................................... 1 8 ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹ 
  • 2. PAROS proxy tool P A R O S is a p r o g r a m fo r p e o p le w h o n e e d t o e v a lu a t e t h e s e c u r it y o f t h e ir w e b a p p lic a t io n s . I t is fr e e o f c h a r g e a n d c o m p le t e ly w r it t e n in J a v a . T h r o u g h P a r o s 's p r o x y n a tu r e , a ll H T T P a n d H T T P S d a ta b e t w e e n s e r v e r a n d c lie n t , in c lu d in g c o o k ie s a n d fo r m f ie ld s , c a n b e in t e r c e p t e d a n d m o d if ie d . D o w n lo a d P A R O S : h t t p : / / w w w . p a r o s p r o x y . o r g / d o w n lo a d . s h t m l PAROS Features: P a r o s ' p r o x y fe a t u r e is in v a lu a b le f o r in s p e c t in g t r a ffic a s it c o m e s t o a n d fr o m y o u r b r o w s e r . T h is a llo w s y o u t o in v e s t ig a te t h in g s lik e h o w c o o k ie s a r e s e t, r e d ir e c t s b e in g is s u e d t o a b r o w s e r , a n d q u e r ie s s e n t fr o m th e b r o w s e r to t h e s e r v e r . W h ile P a r o s in c lu d e s s o m e a u to m a t e d s c a n n in g t o o ls , t h e s e a r e r a th e r w e a k a n d P a r o s r e a lly s h o w s it s s t r e n g t h in t h e h a n d s o f a s k ille d p e n e t r a t io n te s te r w h o k n o w s w h a t t o lo o k f o r . W e w ill s e e h o w t o u s e a ll th e f e a t u r e s a v a ila b le in P A R O S in t h is d o c u m e n t. I n stal l i n g PAROS E n s u r e J a v a R u n T im e E n v ir o n m e n t ( J R E ) 1 . 4 ( o r a b o v e ) w a s in s t a lle d . O n c e y o u h a v e J a v a R u n T im e E n v ir o n m e n t in s t a lle d y o u s t a r t t h e in s t a lla t io n b y e x e c u t in g t h e in s t a lla t io n f ile y o u d o w n lo a d e d f r o m t h e P a r o s P r o x y w e b s it e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  2
  • 3. PAROS proxy tool T h e f ir s t s c r e e n o f t h e in s t a lle r is t h e w e lc o m e s c r e e n w h ic h le t s y o u k n o w th a t y o u a r e a b o u t t o i n s t a l l P a r o s P r o x y . C l i c k " Ne x t " t o c o n t i n u e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  3
  • 4. PAROS proxy tool Y o u h a v e n o w in s t a lle d P a r o s P r o x y . C lic k " F in is h " t o e x it t h e in s t a lle r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  4
  • 5. PAROS proxy tool C o n f i g uri n g Paro s Pro x y S ta r t th e P A R O S p r o x y t o o l. G o t o T o o ls o p t io n s T h e lo c a l p r o x y s e t t in g s c o n t r o ls w h a t a d d r e s s a n d p o r t it s h o u ld lis t e n o n f o r in c o m in g c o n n e c t io n s . R e m e m b e r t o c o n fig u r e y o u r w e b b r o w s e r t o m a tc h t h e s e s e t t in g s . S o , n o w t h a t P a r o s is r u n n in g le t 's s e t u p o u r b r o w s e r t o u t iliz e P a r o s a s a p r o x y . P a r o s , b y d e fa u lt , lis t e n s o n p o r t 8 0 8 0 fo r p r o x y c o n n e c t io n s . I n t h is e x a m p le w e 'r e g o in g t o c o n f ig u r e F ir e f o x 3 t o u t iliz e P a r o s a s a p r o x y . T o d o t h is w e g o t o t h e 'T o o ls ' m e n u a n d s e le c t 'O p t io n s ' . Ne x t y o u w a n t to c lic k o n t h e 'A d v a n c e d ' ic o n a n d s e le c t th e ' Ne t w o r k ' t a b : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  5
  • 6. PAROS proxy tool No w c l i c k o n t h e ' S e t t i n g s ' b u t t o n i n t h e ' C o n n e c t i o n ' f r a m e . T h i s w i l l b r i n g u p a n e w w in d o w t it le d 'C o n n e c t io n S e t t in g s '. Y o u w a n t t o s e le c t 'M a n u a l p r o x y c o n f ig u r a t io n ' a n d s e t y o u r p r o x y t o 'lo c a lh o s t ' o n p o r t 8 0 8 0 : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  6
  • 7. PAROS proxy tool C l i c k ' O K ' t o c l o s e a l l t h e w i n d o w s . No w y o u ' l l n o t i c e t h a t w h e n e v e r y o u b r o w s P a r o s ' b la n k in t e r f a c e w ill b e g in t o f ill u p w it h in f o r m a t io n . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  7
  • 8. PAROS proxy tool U si n g PAROS T h e m a in in t e r fa c e is d iv id e d in t o 3 s e c t io n s 1 . O n th e t o p -l e f t y o u h a v e t h e s i t e s / d i r e c t o r y / p a g e t r e e v i e w . A s y o u b r o w s e p a g e s y o u w ill n o t ic e t h a t m o r e a n d m o r e it e m s a r e a d d e d t o t h is s e c t io n . 2 . O n th e t o p -r i g h t y o u h a v e t h e s e c t i o n t h a t a l l o w s y o u t o i n s p e c t , in t e r c e p t a n d m o d ify t h e s e n t a n d r e c e iv e d d a t a . 3 . O n th e b o t t o m y o u h a v e t h e r e q u e s t / r e s p o n s e h is t o r y o f a n y r e q u e s t b e in g m a d e w h ile u s in g P a r o s . P le a s e n o t e t h a t b y d e f a u lt im a g e r e q u e s t s a r e n o t b e in g d is p la y e d in t h e h is t o r y v ie w . I t a ls o c o n t a in t h e S p id e r r e s u lt s , a n y a le r t s f r o m v a r io u s f ilt e r s a n d f in a lly t h e o u t p u t o f t h e a le r t e d p a g e . No w a c c e s s y o u r w e b s it e ( w h ic h y o u w a n t t o t e s t ) ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  8
  • 9. PAROS proxy tool W h e n y o u w a n t t o in t e r c e p t r e q u e s t s y o u ju s t g o t o t h e " T r a p " t a b a n d c h e c k t h e " T r a p r e q u e s t " c h e c k b o x ( a n d if y o u w a n t t o in t e r c e p t r e s p o n s e s f r o m t h e s e r v e r y o u c h e c k th e " T r a p r e s p o n s e " c h e c k b o x ) . G E T r e q u e s t s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r f a c e , w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o t h e r d a t a a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . P O S T r e q u e s t s a r e d is p la y e d in b o t h th e h e a d e r a n d t h e b o d y s e c t io n o f t h e in t e r fa c e , b o th w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o th e r d a ta a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . C o o k ie s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r fa c e , w h ic h is m o d if ia b le . J u s t m o d ify th e c o o k ie d e t a ils a n d c lic k " C o n t in u e " t o s e n d th e m o d ifie d r e q u e s t t o t h e s e r v e r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  9
  • 10. PAROS proxy tool L e t ' s s a y I w a n t t o r e -s u b m i t t h e f o r m b u t t r y s o m e o t h e r v a l u e s . T o d o t h is I d o n 't e v e n n e e d t o le a v e P a r o s . I c a n s im p ly r ig h t c lic k t h e r o w in t h e b o t t o m fr a m e a n d s e le c t 'R e s e n d ': ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 0
  • 11. PAROS proxy tool S e le c t in g t h is o p t io n b r in g s u p a n e w b o x t h a t s u m m a r iz e s a ll t h e d a t a th a t is g o in g to b e s e n t o n t h e f o r m s u b m is s io n . T h e n ic e th in g a b o u t t h is s u m m a r y d a ta is t h a t it c a n b e m a n ip u la t e d b e f o r e w e s e n d it . C h a n g e th e p a r a m e t e r s y o u w a n t t o te s t a n d s e n d t h e r e q u e s t . Y o u 'll n o t ic e th a t t h e p o p u p w in d o w s w it c h e s o v e r to t h e 'R e s p o n s e ' t a b w h ic h in c lu d e s n o t o n ly t h e h e a d e r d a t a fr o m th e fo r m r e q u e s t , b u t a ls o t h e H T M L t h a t y o u g e t b a c k . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 1
  • 12. PAROS proxy tool U s in g P a r o s w e c a n e x a m in e c o o k ie s , f o r m f ie ld s a n d o t h e r d a t a , a n d m o d ify t h a t d a ta o n t h e fly a n d r e s u b m it it . T h is is w o n d e r f u l f o r d o in g t h in g s lik e t e s t in g f o r X S S o r S Q L in j e c t io n v u ln e r a b ilit ie s in h a r d t o r e a c h a r e a s o f H T T P c o m m u n ic a t io n s lik e c o o k ie s o r H T T P h e a d e r s . Sp i d er w i th Paro s Pro x y S p id e r is u s e d to c r a w l t h e w e b s it e s a n d g a t h e r a s m a n y U R L lin k s a s p o s s ib le . T h is a llo w s y o u t o h a v e a b e t t e r u n d e r s t a n d in g o f t h e w e b s it e h ie r a r c h y t r e e in a s h o r t t im e b e fo r e m a n u a l n a v ig a t io n . C u r r e n t ly , t h e " S p id e r " f u n c t io n is in b e t a v e r s io n . I t s fu n c t io n a lit ie s in c lu d e : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 2
  • 13. PAROS proxy tool • C r a w l H T T P a n d H T T P S w e b s it e s b a s e d o n g iv e n U R L , e .g . h t tp : / / w w w .e x a m p le . c o m o r h t t p s : / / w w w . e x a m p le . c o m • S u p p o r t c o o k ie • S u p p o r t p r o x y c h a in in g , w h ic h is s e t a t t h e < P r o x y C h a in > f ie ld in O p t io n t a b ( b u t s e t t in g t h e < S k ip > fie ld h a s n o t e ff e c t o n t h e s p id e r ) • A u to m a t ic a lly a d d U R L lin k s t o t h e w e b s it e h ie r a r c h y t r e e f o r la t e r s c a n n in g . A s it is j u s t a s im p le s p id e r , it h a s t h e f o llo w in g lim it a t io n s : • S S L w e b s it e s w it h in v a lid c e r t if ic a t e c a n n o t b e c r a w le d • M u t i− t h r e a d in g n o t s u p p o r t e d • S o m e ‘m a lf o r m e d ’ U R L s in H T M L p a g e s c a n n o t b e r e c o g n iz e d A ls o , U R L s g e n e r a t e d b y J a v a s c r ip t c a n n o t b e f o u n d u s in g t h is s p id e r . T h o s e U R L s , h o w e v e r , c a n b e f o u n d a n d a d d e d t o t h e h ie r a r c h y t r e e t h r o u g h m a n u a l n a v ig a t io n . F ir s t s e le c t t h e s it e fr o m th e le f t p a n e l ( s it e s ) [ s it e s h o u ld a lr e a d y b r o w s e d fr o m b r o w s e r ] G o t o A n a ly s e s p id e r ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 3
  • 14. PAROS proxy tool Sc an n i n g w i th Paro s Pro x y T h e s c a n n e r f u n c t io n is t o s c a n th e s e r v e r b a s e d o n t h e w e b s it e h ie r a r c h y ( t h e tr e e o n t h e le ft p a n e l) . I t c a n c h e c k if t h e r e is a n y s e r v e r m is c o n fig u r a t io n . A u t o m a t ic w e b s c a n n e r m a y n o t b e a b le t o f in d o u t th e p a t h s a n d c h e c k if t h e r e e x is t s a n y b a c k u p f ile s ( . b a k ) w h ic h c o u ld e x p o s e s e r v e r in fo r m a t io n . I n o r d e r to u s e th is fu n c t io n , y o u n e e d t o n a v ig a te t h e w e b s it e fir s t . A fte r y o u lo g o n a w e b s it e a n d n a v ig a t e it , a w e b s it e h ie r a r c h y tr e e w ill b e b u ilt b y P a r o s a u to m a t ic a lly . T h e n y o u c a n d o t h e fo llo w in g t h in g s : • I f y o u w a n t t o s c a n a ll w e b s it e s o n t h e t r e e , y o u c a n th e n c lic k o n th e m e n u it e m " T r e e " → " S c a n A ll" t o t r ig g e r t h e s c a n n in g . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 4
  • 15. PAROS proxy tool • I f y o u j u s t w a n t t o s c a n o n e w e b s it e o n t h e t r e e , y o u c a n c lic k o n t h a t s it e in t h e t r e e p a n e l a n d c l i c k m e n u i t e m " T r e e " → " S c a n s e l e c t e d No d e " ( Y o u c a n a ls o r ig h t − c lic k o n t h e t r e e v ie w a n d c h o o s e t h e o p t io n s ) . C u r r e n t ly , P a r o s h a s t h e f o llo w in g c h e c k s : • H T T P P U T a llo w e d − c h e c k if t h e P U T o p t io n is e n a b le d a t s e r v e r d ir e c t o r ie s • D ir e c t o r y in d e x a b le − c h e c k if th e s e r v e r d ir e c t o r ie s c a n b e b r o w s a b le . • O b s o le t e f ile s e x is t e d − c h e c k if t h e r e e x is t s o b s o le t e f ile s a t • C r o s s − s it e s c r ip t in g − c h e c k if c r o s s − s it e s c r ip t in g ( X S S ) is a llo w e d o n th e q u e r y p a r a m e t e r s • D e fa u lt file s o n w e b s p h e r e s e r v e r – c h e c k if d e f a u lt f ile s e x is t e d o n w e b s p h e r e s e r v e r No t e t h a t a l l t h e a b o v e c h e c k s a r e b a s e d o n t h e U R L s i n t h e w e b s i t e h ie r a r c h y . T h a t m e a n s t h e s c a n n e r w ill c h e c k e a c h U R L f o r e a c h v u ln e r a b ilit y . P a r o s c a n a ls o s a v e a n d r e lo a d s e s s io n s . T h is is a g r e a t t o o l if y o u n e e d t o d o e x p lo r a t io n a t o n e p o in t t h e n la t e r d o a n a ly s is , o r if y o u w a n t t o c o m p a r e t w o s c a n ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 5
  • 16. PAROS proxy tool s e s s io n s . P a r o s a ls o a llo w s y o u t o s a v e a ll t h e r e p o r t s it p r o d u c e s fo r la t e r e x a m in a t io n o r in c lu s io n in a b r o a d e r a n a ly s is r e p o r t . Sc an n i n g Po l i c y I nfor m ati on g ath er i ng " O b s o le t e f ile " lo o k s fo r b a c k u p c o p ie s o f k n o w n f ile s o f t h e s e r v e r . " P r iv a t e I P d is c lo s u r e " lo o k s f o r r e f e r e n c e s t o in t e r n a l I P a d d r e s s e s w it h in t h e p a g e s a s w e ll a s in e r r o r m e s s a g e s . " S e s s io n I D in U R L r e w r it e " " O b s o le t e f ile e x t e n d e d c h e c k " Cli ent br ow ser " P a s s w o r d A u t o c o m p le t e in b r o w s e r " lo o k s fo r p a s s w o r d f ie ld s w h ic h a llo w s t h e m to b e s a v e d in t h e b r o w s e r . " S e c u r e p a g e b r o w s e r c a c h e " lo o k s f o r s e c u r e ( h t t p s ) p a g e s w h ic h a llo w s t h e m s e lv e s t o b e s t o r e d in t h e b r o w s e r c a c h e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 6
  • 17. PAROS proxy tool S er v er sec u r i ty " D ir e c t o r y b r o w s in g " lo o k s f o r d ir e c t o r ie s w h ic h d is c lo s e s t h e f ile s in s id e it . " I I S d e f a u lt f ile " lo o k s f o r d e f a u lt I I S ( I n t e r n e t I n f o r m a t io n S e r v ic e ) f ile s . " C o ld F u s io n d e f a u lt f ile " lo o k s f o r d e f a u lt C o ld F u s io n f ile s . " M a c r o m e d ia J R u n d e f a u lt f ile s " lo o k s f o r d e f a u lt M a c r o m e d ia J R u n f ile s . " T o m c a t s o u r c e f ile d is c lo s u r e " " B E A W e b L o g ic e x a m p le f ile s " lo o k s f o r d e f a u lt B E A W e b L o g ic f ile s . " I B M W e b S p h e r e d e f a u lt f ile s " lo o k s f o r d e f a u lt I B M W e b S p h e r e f ile s . " L o t u s D o m in o d e f a u lt f ile s " lo o k s f o r d e f a u lt L o t u s D o m in o f ile s . M i sc ellaneou s T h e r e a r e n o s e t t in g s u n d e r t h is t a b . . . I nj ec ti on " S Q L I n j e c t io n F in g e r p r in t in g " s e n d s c o m m o n S Q L in j e c t io n s t r in g s in t o in p u t f ie ld s a n d lo o k s f o r r e s p o n s e s t h a t m a t c h S Q L e r r o r m e s s a g e s . " C R L F in je c t io n " " S e r v e r s id e in c lu d e " " C r o s s s it e s c r ip t in g " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e . " C r o s s s it e s c r ip t in g w it h o u t b r a c k e t s " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e , e x c e p t it d o e s n 't in j e c t t h e " < " a n d " > " b r a c k e t s in t h e t e s t s t r in g s . " P a r a m e t e r t a m p e r in g " " S Q L I n j e c t io n " " M S S Q L I n je c t io n E n u m e r a t io n " ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 7
  • 18. PAROS proxy tool C o n c l usi o n P a r o s is a w o n d e r f u l t o o l a n d s h o u ld d e f in it e ly b e f a m ilia r t o a n y w e b a p p lic a t io n s e c u r it y p r o fe s s io n a l. H o w e v e r , P a r o s c a p a b ilit ie s e x t e n d b e y o n d s e c u r it y a n d a r g u e f o r it 's u s e b y w e b d e v e lo p e r s a s w e ll. P a r o s c a n e a s ily m a n g le r e q u e s t s , b u t it a ls o d o e s a w o n d e r f u l j o b o f in s p e c t in g H T T P t r a f f ic a n d id e n t if y in g p r o b le m s . P a r o s is a n e x c e lle n t t o o l fo r t r a c k in g d o w n t h e c a u s e o f a w e b s e r v e r in f in it e r e d ir e c t lo o p , o r a c o o k ie m is c o n f ig u r a t io n , o r o t h e r e lu s iv e p r o b le m t h a t c a n d r iv e y o u m a d if y o u 'r e o n ly a r m e d w it h a w e b b r o w s e r . O f c o u r s e , t h e s a m e e a s e w it h w h ic h P a r o s c a n e x a m in e a n d m a n ip u la t e le g it im a t e t r a f f ic a llo w s p e n e t r a t io n t e s t e r s t o u s e P a r o s t o m a n ip u la t e tr a f f ic in m a lic io u s w a y s . P a r o s is a g r e a t t o o l f o r b lin d p e n e t r a t io n t e s t in g o r d e v e lo p in g p r o o f o f c o n c e p t w e b a p p lic a t io n e x p lo it s . P a r o s ' c r o s s p la t fo r m n a tu r e a ls o a r g u e s f o r it s v a lu e . L e a r n in g t o u s e P a r o s d o e s n 't t ie y o u to a n y p a r t ic u la r o p e r a t in g s y s te m o r p la t f o r m . P a r o s c a n b e u s e d in c o n ju n c t io n w it h a n y b r o w s e r , a n d w o r k s g r e a t a lo n g w it h F ir e f o x a n d p lu g in s lik e T a m p e r D a ta o r w e b d e v e lo p e r .O v e r a ll I fin d P a r o s is o n e o f t h o s e e a s y t o o ls I r e a c h fo r m o r e o ft e n o v e r t im e a n d I t h in k it w o u ld m a k e a v a lu a b le a d d it io n t o a n y w e b d e v e lo p e r o r a p p lic a t io n te s t e r s a r s e n a l. ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 8