Paros Proxy

Copyright

This work is Copyright © 2005, 2006, 2007 Michael Boman. This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

About Paros Proxy

"Paros" Proxy was written for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

Downloading Paros Proxy

You can download the latest version of Paros Proxy from http://www.parosproxy.org/.

Installing Paros Proxy

Ensure Java Run Time Environment (JRE) 1.4 (or above) was installed. If not, goto http://java.sun.com/j2se to download and install it. Once you have Java Run Time Environment installed you start the installation by executing the installation file you downloaded from the Paros Proxy website.



The first screen of the installer is the welcome screen which lets you know that you are about to install Paros Proxy. Click "Next" to continue.



The second screen is the license agreement. Do read it through and select the "I accept the agreement" only if you do so. Click "Next" to continue.



Next this is to decide where to install Paros. I left it default (%PROGRAMFILES%\Paros, see Windows Environment Variables) which in my case is "C:\Program Files\Paros". Click "Next" to continue.



Then it asks you what to call the Start menu folder. Leave it default to "Paros" unless you got a really good reason not to do so. Click "Next" to continue.



Additional tasks. Depending on your preference, you may or may not want to create a desktop icon for Paros Proxy. Click "Next" to continue.



After a final verification of installation options click "Install" to start the installation.



The files are being copied into the installation directory.



Congratulations! You have now installed Paros Proxy. Click "Finish" to exit the installer.

Configuring Paros Proxy

Connection


If you need to use a proxy to access the target machine you need to input the configuration details here. First you need to check the "Use an outgoing proxy server" check box to enable the other settings. "Address/Domain name" is the address or host name of your proxy server, while "Port" is the port the outgoing proxy server is listening on. If you don't know these settings you can look at your web browser's proxy settings and copy down the details.

Sometimes you need to authenticate to the web proxy. Just check the "Outgoing proxy server requires authentication" check box and fill in the "Realm" (authentication scope), user name and password for the authentication. Please note that the password will be stored in clear text in the configuration file.

Local proxy


The local proxy settings controls what address and port it should listen on for incoming connections. Remember to configure your web browser to match these settings. It is recommended that you leave the address as either "127.0.0.1" or "localhost" so the proxy is only accessible by your own computer.

Authentication


Certificate


View


Trap


Under the Trap options you can configure Paros Proxy to include or exclude particular paths or file extensions using a semi-colon separated list. For an example, you may or may not want to intercept JavaScript (*.js) files, or simply ignore those you have already analyzed.

Spider


Scanner


In the scanner section you configure how many hosts you want to scan concurrently, and how many threads (pages) per host (total number of scanning threads are hosts * threads per host). There is no hard and fast rule on what are the optimal settings for this as it depends on your network speed, computer resources (more threads consumes more CPU and RAM) and the application itself.

If the application is very strict in how you are supposed to navigate you can't scan more then a single page at a time and some applications are very difficult to scan accurately due to the strict page flow.

Using Paros Proxy


The main interface is divided into 3 sections

  1. On the top-left you have the sites/directory/page tree view. As you browse pages you will notice that more and more items are added to this section.
  2. On the top-right you have the section that allows you to inspect, intercept and modify the sent and received data.
  3. On the bottom you have the request / response history of any request being made while using Paros. Please note that by default image requests are not being displayed in the history view. It also contain the Spider results, any alerts from various filters and finally the output of the alerted page.

When you want to intercept requests you just go to the "Trap" tab and check the "Trap request" check box (and if you want to intercept responses from the server you check the "Trap response" check box).

GET requests are displayed in the header section of the interface, which is modifiable. Just modify the request parameters or other data and click "Continue" to send the modified request to the server.



POST requests are displayed in both the header and the body section of the interface, both which is modifiable. Just modify the request parameters or other data and click "Continue" to send the modified request to the server.



Cookies are displayed in the header section of the interface, which is modifiable. Just modify the cookie details and click "Continue" to send the modified request to the server.

Spider with Paros Proxy


Spider is used to crawl the websites and gather as many URL links as possible. This allows you to have a better understanding of the web site hierarchy tree in a short time before manual navigation. Currently, the "Spider" function is in beta version. Its functionalities include:

  • Crawl HTTP and HTTPS websites based on given URL, e.g. http://www.example.com or https://www.example.com
  • Support cookie
  • Support proxy chaining, which is set at the <ProxyChain> field in Option tab (but setting the <Skip> field has not effect on the spider)
  • Automatically add URL links to the web site hierarchy tree for later scanning.

As it is just a simple spider, it has the following limitations:

  • SSL websites with invalid certificate cannot be crawled
  • Muti−threading not supported
  • Some ‘malformed’ URLs in HTML pages cannot be recognized

Also, URLs generated by Javascript cannot be found using this spider. Those URLs, however, can be found and added to the hierarchy tree through manual navigation.

Scanning with Paros Proxy

The scanner function is to scan the server based on the website hierarchy (the tree on the left panel). It can check if there is any server misconfiguration. Automatic web scanner may not be able to find out the paths and check if there exists any backup files (.bak) which could expose server information. In order to use this function, you need to navigate the website first. After you logon a website and navigate it, a website hierarchy tree will be built by Paros automatically. Then you can do the following things:

  • If you want to scan all websites on the tree, you can then click on the menu item "Tree" → "Scan All" to trigger the scanning.
  • If you just want to scan one website on the tree, you can click on that site in the tree panel and click menu item "Tree" → "Scan selected Node" (You can also right−click on the tree view and choose the options).

Currently, Paros has the following checks:

  • HTTP PUT allowed − check if the PUT option is enabled at server directories
  • Directory indexable − check if the server directories can be browsable.
  • Obsolete files existed − check if there exists obsolete files at
  • Cross−site scripting − check if cross−site scripting (XSS) is allowed on the query parameters
  • Default files on websphere server – check if default files existed on websphere server

Note that all the above checks are based on the URLs in the website hierarchy. That means the scanner will check each URL for each vulnerability. Compared with other web scanners which just do a blink scan without website hierarchy, our scanning result is more accurate.

Scanning Policy


Information gathering

"Obsolete file" looks for backup copies of known files of the server.

"Private IP disclosure" looks for references to internal IP addresses within the pages as well as in error messages.

"Session ID in URL rewrite"

"Obsolete file extended check"

Client browser

"Password Autocomplete in browser" looks for password fields which allows them to be saved in the browser.

"Secure page browser cache" looks for secure (https) pages which allows themselves to be stored in the browser cache.

Server security

"Directory browsing" looks for directories which discloses the files inside it.

"IIS default file" looks for default IIS (Internet Information Service) files.

"Cold Fusion default file" looks for default Cold Fusion files.

"Macromedia JRun default files" looks for default Macromedia JRun files.

"Tomcat source file disclosure"

"BEA WebLogic example files" looks for default BEA WebLogic files.

"IBM WebSphere default files" looks for default IBM WebSphere files.

"Lotus Domino default files" looks for default Lotus Domino files.

Miscellaneous

There are no settings under this tab...

Injection

"SQL Injection Fingerprinting" sends common SQL injection strings into input fields and looks for responses that match SQL error messages.

"CRLF injection"

"Server side include"

"Cross site scripting" tries to inject cross site scripting strings into input fields and look for their presence in the responding page.

"Cross site scripting without brackets" tries to inject cross site scripting strings into input fields and look for their presence in the responding page, except it doesn't inject the "<" and ">" brackets in the test strings.

"Parameter tampering"

"SQL Injection"

"MS SQL Injection Enumeration"

Starting the scan


Scan Progress


Scan Complete


Paros Proxy Utilities

Advanced Paros Proxy Settings

Increasing JVM memory limit

Modify the shortcut and add "-Xmx512m" (to increase the memory allocation to 512 Mb) to the target options so the resulting line reads something like this:

C:\WINDOWS\system32\javaw.exe -Xmx512m -jar paros.jar

Updating the Paros SSL Certificate

The Paros certificate is the file ./resource/paroskey. It is a JKS keystore and it’s password is "!@#$%^&*()", without the quotes (the password is in the source code). Extract it with this command :

jar xvf paros.jar resource/paroskey  

You can view the certificate using this command (you might have to escape some characters for it to work on your platform, single quotes worked for me under Linux):

keytool -list -v -keystore resource/paroskey -storepass '!@#$%^&*()'

We will simply replace the paroskey file with our own certificate, using the same alias and password that is hardcoded.

Now, you have to get your hand on a certificate. I used the cacert.org certificate authority (CA), but you can roll your own if you feel like it.

We download the CA public key and name it ca-cert.pem, copy it to the local directory and import it in your brand new keystore with this command:

keytool -import -trustcacerts -alias "my-ca" -file ca-cert.pem -keystore resource/paroskey -noprompt -storepass '!@#$%^&*()'
Now you must choose the hostname of your proxy. It doesn’t have to match any DNS record, but if you want your setup to be warning-free, make them match. I choose mitm.michaelboman.org, and I delete the old certificate and generate a new private key with those two commands :
keytool -delete -alias paros -keystore resource/paroskey -storepass '!@#$%^&*()'

keytool -genkey -keyalg RSA -alias paros -keystore resource/paroskey -storepass '!@#$%^&*()' -keypass '!@#$%^&*()' -dname "CN=mitm.michaelboman.org" -validity 720

Adjust the validity period to your needs, but do not change the alias or passwords. Now create a certificate signing request with this command :

keytool -certreq -v -alias paros -keystore resource/paroskey -storepass '!@#$%^&*()' -file mitm.michaelboman.org.csr

Hand over the mitm.michaelboman.org.csr file to your CA. For CACert to sign the certificate you will need to own the domain. If you don't own a domain you have to run your own CA to get it working.

Your CA will send you back a signed certificate (mitm.michaelboman.org.cert). It must be in DER format to be imported in the JKS keystore. If it is not (like if you are using the CA mentioned above), type this command to convert it:

openssl x509 -in mitm.michaelboman.org.cert -out mitm.michaelboman.org.der -outform DER

Now import that DER encoded certificate in a JKS keystore with this keytool command :

keytool -import -v -alias paros -file mitm.michaelboman.org.der -keystore resource/paroskey -storepass '!@#$%^&*()' -storetype JKS

All this work has got you a certificate with a hostname you selected, in a keystore that can be used as a drop-in replacement for Paros built-in hardcoded keystore. Use your favorite tool for this or keep reading if all you have is the jar utility.

Replace the old keystore with the new one in paros.jar with this command (backup paros.jar before, just in case…) :

jar uvf paros.jar resource\paroskey

That’s all there is to it! Your Paros proxy will now show mitm.michaelboman.org as it’s hostname. Remember that to be completely warning free, you must trust the root CA. If it’s not already there, import the root CA public key certificate in your browser.

Comments