.

Paros - Web App Security Assessment Tool

<<

don

User avatar

Administrator
Administrator

Posts: 4265

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Jun 08, 2006 3:46 pm

Paros - Web App Security Assessment Tool

We wrote a program called "Paros" for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.


http://www.parosproxy.org/index.shtml

If data is allowed to be modified before it is sent, this opens a whole can of hacking worms. Let your imagination run wild.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Thu Jun 15, 2006 3:16 pm

Re: Paros - Web App Security Assessment Tool

This is a good tool but it missed dome things that we were looking for like XSS vulnerabilities.  It has a pretty good output and is not messy like most free tools.
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

charlottebandit

Newbie
Newbie

Posts: 49

Joined: Sat Jun 10, 2006 4:26 pm

Post Wed Jul 26, 2006 2:55 pm

Re: Paros - Web App Security Assessment Tool

Paros is very interesting.  In one of our CEH labs, we used to inject variables and change the prices of products. 

We even tried it on a website (unsanctioned by the class, of course!!!) for a plasma tv and changed the price to $200.  ;D

Of course we didn't execute it.  It works as a proxy to examine web scripting.
MS, CCSP, CCNP, CCDP, CEH, CHFI, CPTS
<<

Hug_It

Newbie
Newbie

Posts: 28

Joined: Thu Feb 23, 2006 4:21 pm

Post Fri Jul 28, 2006 11:54 am

Re: Paros - Web App Security Assessment Tool

Dan Kuykendall of MightySeek.com put together a page for a web hacking toolkit. It includes Paros and some other proxies. There's a cool Firefox extension that allows for quick switching of proxies also.

http://www.mightyseek.com/web-hacking-toolkit/

He has a hands on series podcast that covers sql injection and now cross site scripting. Very informative and easy to follow. Even has a sandbox server set up to test out his stuff.
CISSP
<<

LSOChris

Post Sat Jul 29, 2006 11:48 am

Re: Paros - Web App Security Assessment Tool

paros is a good tool and you can get thru most of the webgoat levels with it.

an alternate to it (without the site scanning piece) is the tamper data extension for firefox, the poster above aludes to it.  its a quick easy tool to modify data on the fly.  useful on those hackme websites as well.
<<

chugh_a

Newbie
Newbie

Posts: 15

Joined: Thu Sep 21, 2006 12:47 am

Post Tue Sep 26, 2006 6:18 am

Re: Paros - Web App Security Assessment Tool

Another good tool is burp-suite. This contains many more features rather than just intercepting & modifying request / response.
CEH
<<

psychorugger

Newbie
Newbie

Posts: 12

Joined: Tue Dec 05, 2006 10:57 am

Location: DC, Maryland

Post Thu Dec 07, 2006 12:08 pm

Re: Paros - Web App Security Assessment Tool

I'm looking at Paros now in my lab, along with Spike, burpsuite (which I already like), webscarab, and Nikto.  I'll let you know what my thoughts are when I'm done in a couple of weeks... if I remember to.  haha
IAM, IEM, RWSP, CPTS
<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Mon Dec 25, 2006 2:25 pm

Re: Paros - Web App Security Assessment Tool

Paros is a great tool to have in your suite.  It provides a great proxy for, as mentioned, the modification of requests and responses.  It can spider a website and analyze it for XSS, SQL injection, and unwanted file vulnerabilities.  The biggest feature it is lacking, IMHO, is a fuzzer.  But since there are plenty of other tools out there to perform this function it is probably not necessary.

One thing to watch out for when using this tool is that fact that it includes the Paros name in the User Agent string.  The program is configured to automatically place Paros and the version number at the end of the User Agent and, the last time I checked, you could not change this through the GUI.  Why is this a problem, you ask?  Well, by placing the name of the tool in the User Agent it gives the web developers a mechanism to monitor for and deny access to this tool.  It was probably included explicitly for this purpose.  The good news is that the Paros Proxy project provides the source code for their tool.  This proxy is written in Java and therefore can easily be modified.  A while back I blogged about this subject.  Although the version is dated the concept and steps should still be the same.  If you are interested you can find the post at http://www.cutawaysecurity.com/blog/archives/9.

I hope this helps.
Go forth and do good things,
Cutaway
<<

jimbob

Post Fri Dec 29, 2006 4:38 am

Re: Paros - Web App Security Assessment Tool

Paros is indespensible as one of those tools that isn't quite matched by anything else. If you are looking to tamper with HTTP requests it's worth taking a look at Fiddler.

http://www.fiddlertool.com/fiddler/

Fiddler will also allow you to alter requests before they are sent by setting a breakpoint before each request. It's a great tool that fits with MSIE almost seamlessly, so no need to change your proxy settings.

Jim

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software