This work is Copyright © 2005, 2006, 2007 Michael Boman. This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.
"Paros" Proxy was written for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.
You can download the latest version of Paros Proxy from http://www.parosproxy.org/.
Ensure Java Run Time Environment (JRE) 1.4 (or above) was installed. If not, goto http://java.sun.com/j2se to download and install it. Once you have Java Run Time Environment installed you start the installation by executing the installation file you downloaded from the Paros Proxy website.
The first screen of the installer is the welcome screen which lets you know that you are about to install Paros Proxy. Click "Next" to continue.
The second screen is the license agreement. Do read it through and select the "I accept the agreement" only if you do so. Click "Next" to continue.
Next this is to decide where to install Paros. I left it default (%PROGRAMFILES%\Paros, see Windows Environment Variables) which in my case is "C:\Program Files\Paros". Click "Next" to continue.
Then it asks you what to call the Start menu folder. Leave it default to "Paros" unless you got a really good reason not to do so. Click "Next" to continue.
Additional tasks. Depending on your preference, you may or may not want to create a desktop icon for Paros Proxy. Click "Next" to continue.
After a final verification of installation options click "Install" to start the installation.
The files are being copied into the installation directory.
Congratulations! You have now installed Paros Proxy. Click "Finish" to exit the installer.
If you need to use a proxy to access the target machine you need to input the configuration details here. First you need to check the "Use an outgoing proxy server" check box to enable the other settings. "Address/Domain name" is the address or host name of your proxy server, while "Port" is the port the outgoing proxy server is listening on. If you don't know these settings you can look at your web browser's proxy settings and copy down the details.
Sometimes you need to authenticate to the web proxy. Just check the "Outgoing proxy server requires authentication" check box and fill in the "Realm" (authentication scope), user name and password for the authentication. Please note that the password will be stored in clear text in the configuration file.
The local proxy settings controls what address and port it should listen on for incoming connections. Remember to configure your web browser to match these settings. It is recommended that you leave the address as either "127.0.0.1" or "localhost" so the proxy is only accessible by your own computer.
In the scanner section you configure how many hosts you want to scan concurrently, and how many threads (pages) per host (total number of scanning threads are hosts * threads per host). There is no hard and fast rule on what are the optimal settings for this as it depends on your network speed, computer resources (more threads consumes more CPU and RAM) and the application itself.
If the application is very strict in how you are supposed to navigate you can't scan more then a single page at a time and some applications are very difficult to scan accurately due to the strict page flow.
The main interface is divided into 3 sections
When you want to intercept requests you just go to the "Trap" tab and check the "Trap request" check box (and if you want to intercept responses from the server you check the "Trap response" check box).
GET requests are displayed in the header section of the interface, which is modifiable. Just modify the request parameters or other data and click "Continue" to send the modified request to the server.
POST requests are displayed in both the header and the body section of the interface, both which is modifiable. Just modify the request parameters or other data and click "Continue" to send the modified request to the server.
Cookies are displayed in the header section of the interface, which is modifiable. Just modify the cookie details and click "Continue" to send the modified request to the server.
Spider is used to crawl the websites and gather as many URL links as possible. This allows you to have a better understanding of the web site hierarchy tree in a short time before manual navigation. Currently, the "Spider" function is in beta version. Its functionalities include:
As it is just a simple spider, it has the following limitations:
The scanner function is to scan the server based on the website hierarchy (the tree on the left panel). It can check if there is any server misconfiguration. Automatic web scanner may not be able to find out the paths and check if there exists any backup files (.bak) which could expose server information. In order to use this function, you need to navigate the website first. After you logon a website and navigate it, a website hierarchy tree will be built by Paros automatically. Then you can do the following things:
Currently, Paros has the following checks:
Note that all the above checks are based on the URLs in the website hierarchy. That means the scanner will check each URL for each vulnerability. Compared with other web scanners which just do a blink scan without website hierarchy, our scanning result is more accurate.
"Obsolete file" looks for backup copies of known files of the server.
"Private IP disclosure" looks for references to internal IP addresses within the pages as well as in error messages.
"Session ID in URL rewrite"
"Obsolete file extended check"
"Password Autocomplete in browser" looks for password fields which allows them to be saved in the browser.
"Secure page browser cache" looks for secure (https) pages which allows themselves to be stored in the browser cache.
"Directory browsing" looks for directories which discloses the files inside it.
"IIS default file" looks for default IIS (Internet Information Service) files.
"Cold Fusion default file" looks for default Cold Fusion files.
"Macromedia JRun default files" looks for default Macromedia JRun files.
"Tomcat source file disclosure"
"BEA WebLogic example files" looks for default BEA WebLogic files.
"IBM WebSphere default files" looks for default IBM WebSphere files.
"Lotus Domino default files" looks for default Lotus Domino files.
There are no settings under this tab...
"SQL Injection Fingerprinting" sends common SQL injection strings into input fields and looks for responses that match SQL error messages.
"Server side include"
"Cross site scripting" tries to inject cross site scripting strings into input fields and look for their presence in the responding page.
"Cross site scripting without brackets" tries to inject cross site scripting strings into input fields and look for their presence in the responding page, except it doesn't inject the "<" and ">" brackets in the test strings.
"MS SQL Injection Enumeration"
Modify the shortcut and add "-Xmx512m" (to increase the memory allocation to 512 Mb) to the target options so the resulting line reads something like this:
The Paros certificate is the file ./resource/paroskey. It is a JKS keystore and it’s password is "!@#$%^&*()", without the quotes (the password is in the source code). Extract it with this command :
You can view the certificate using this command (you might have to escape some characters for it to work on your platform, single quotes worked for me under Linux):
We will simply replace the paroskey file with our own certificate, using the same alias and password that is hardcoded.
Now, you have to get your hand on a certificate. I used the cacert.org certificate authority (CA), but you can roll your own if you feel like it.
We download the CA public key and name it ca-cert.pem, copy it to the local directory and import it in your brand new keystore with this command:
Now you must choose the hostname of your proxy. It doesn’t have to match any DNS record, but if you want your setup to be warning-free, make them match. I choose mitm.michaelboman.org, and I delete the old certificate and generate a new private key with those two commands :
Adjust the validity period to your needs, but do not change the alias or passwords. Now create a certificate signing request with this command :
Hand over the mitm.michaelboman.org.csr file to your CA. For CACert to sign the certificate you will need to own the domain. If you don't own a domain you have to run your own CA to get it working.
Your CA will send you back a signed certificate (mitm.michaelboman.org.cert). It must be in DER format to be imported in the JKS keystore. If it is not (like if you are using the CA mentioned above), type this command to convert it:
Now import that DER encoded certificate in a JKS keystore with this keytool command :
All this work has got you a certificate with a hostname you selected, in a keystore that can be used as a drop-in replacement for Paros built-in hardcoded keystore. Use your favorite tool for this or keep reading if all you have is the jar utility.
Replace the old keystore with the new one in paros.jar with this command (backup paros.jar before, just in case…) :
That’s all there is to it! Your Paros proxy will now show mitm.michaelboman.org as it’s hostname. Remember that to be completely warning free, you must trust the root CA. If it’s not already there, import the root CA public key certificate in your browser.