Ethical Hacker Community Forums

http://www.parosproxy.org/index.shtml

If data is allowed to be modified before it is sent, this opens a whole can of hacking worms. Let your imagination run wild.

Don

This is a good tool but it missed dome things that we were looking for like XSS vulnerabilities.  It has a pretty good output and is not messy like most free tools.

Paros is very interesting.  In one of our CEH labs, we used to inject variables and change the prices of products. 

We even tried it on a website (unsanctioned by the class, of course!!!) for a plasma tv and changed the price to $200.   ;D

Of course we didn't execute it.  It works as a proxy to examine web scripting.

Dan Kuykendall of MightySeek.com put together a page for a web hacking toolkit. It includes Paros and some other proxies. There's a cool Firefox extension that allows for quick switching of proxies also.

http://www.mightyseek.com/web-hacking-toolkit/

He has a hands on series podcast that covers sql injection and now cross site scripting. Very informative and easy to follow. Even has a sandbox server set up to test out his stuff.

paros is a good tool and you can get thru most of the webgoat levels with it.

an alternate to it (without the site scanning piece) is the tamper data extension for firefox, the poster above aludes to it.  its a quick easy tool to modify data on the fly.  useful on those hackme websites as well.

Another good tool is burp-suite. This contains many more features rather than just intercepting & modifying request / response.

I'm looking at Paros now in my lab, along with Spike, burpsuite (which I already like), webscarab, and Nikto.  I'll let you know what my thoughts are when I'm done in a couple of weeks... if I remember to.  haha

Paros is a great tool to have in your suite.  It provides a great proxy for, as mentioned, the modification of requests and responses.  It can spider a website and analyze it for XSS, SQL injection, and unwanted file vulnerabilities.  The biggest feature it is lacking, IMHO, is a fuzzer.  But since there are plenty of other tools out there to perform this function it is probably not necessary.

One thing to watch out for when using this tool is that fact that it includes the Paros name in the User Agent string.  The program is configured to automatically place Paros and the version number at the end of the User Agent and, the last time I checked, you could not change this through the GUI.  Why is this a problem, you ask?  Well, by placing the name of the tool in the User Agent it gives the web developers a mechanism to monitor for and deny access to this tool.  It was probably included explicitly for this purpose.  The good news is that the Paros Proxy project provides the source code for their tool.  This proxy is written in Java and therefore can easily be modified.  A while back I blogged about this subject.  Although the version is dated the concept and steps should still be the same.  If you are interested you can find the post at http://www.cutawaysecurity.com/blog/archives/9 (http://www.cutawaysecurity.com/blog/archives/9).

I hope this helps.

Paros is indespensible as one of those tools that isn't quite matched by anything else. If you are looking to tamper with HTTP requests it's worth taking a look at Fiddler.

http://www.fiddlertool.com/fiddler/

Fiddler will also allow you to alter requests before they are sent by setting a breakpoint before each request. It's a great tool that fits with MSIE almost seamlessly, so no need to change your proxy settings.

Jim