HIOB: Using Paros for Web Application Auditing and Debugging

Paros is a wonderful free Java based tool that is invaluable for web application auditing, testing, and debugging. Although Paros is well known in the web application security circles, it is less known in general web development circles. This article will demonstrate just a few of the many uses of Paros that cross over both realms. Paros' proxy feature is invaluable for inspecting traffic as it comes to and from a browser. This allows developers and testers to investigate various aspects of web application architectures, such as how cookies are set, redirects being issued to a browser, and queries sent from the browser to the server. While Paros includes some automated scanning tools, these are rather weak and Paros really shows its strength in the hands of a skilled penetration tester who knows what to look for.

INSTALLATION: Windows

Installing Paros is relatively straightforward. As a prerequisite, the Java Run Time Environment (JRE) 1.4 or higher must be installed. The latest version of the JRE is available from here. Before installing a new version, however, check your machine to see if Java is already installed. To check: simply open a command prompt and type 'java -version'.

Once Java is installed download Paros from their homepage / here. This will redirect you to the SourceForge.net host site. I chose to download the Windows exe version (paros-3.2.13-win.exe). Once the file is downloaded go ahead and install it by double clicking the 'exe'. This should bring up the Paros installer:

To complete the installation: simply click through the installer, accepting the license agreement and the default installation location. Once Paros is installed, We should be ready to run it.

INSTALLATION: Linux { Kali Linux }
Guess ??? ... Surprise .... ?? Today is my birthday:

{ Just Joking } .... Developers of Kali were very kind to place Paros in Kali so: Paros is pre-installed in Kali Linux .... Hail Linux !!!

NO INSTALLATION REQUIRED

Running Paros

On Windows, once installed you should find Paros under Start -> Programs -> Paros. The first time you start Paros you'll be asked to accept the license agreement :

In Kali, drop your terminals and hit ' paros '

You should also be faced with a license agreement dialog should it be your first time starting paros.

After accepting the agreement, Paros will start up. In some versions of Windows, it may be necessary to 'Unblock' the application when Windows prompts users that they're trying to run an application.

Paros should look a little bit like this in Kali Linux:

Note: My System is using a dark theme ... Don't be confused if yours is white ... Perhaps you could be using Kali as a fresh mint { user }

Once Paros is up and running it can be a little intimidating because the user interface is so devoid of details. The application doesn't present any apparent place to start. Once started, however, Paros is all ready to go. Paros works best as an assistive tool. As a proxy it really shines. To take advantage of this functionality though you first have start up Paros, then reconfigure the browser so that it uses Paros as a proxy. This reconfiguration instructing a browser to send all traffic to Paros, instead of the actual target of your browsing. Paros then handles passing requests along to the destination, as well as any responses that are sent back to the browser. While browsing Paros listens to all traffic to and from the web browser, including background traffic such as AJAX calls. For this reason it is helpful to only utilize one tab in a browser while it's configured for Paros or the interface can end up cluttered with a lot of extraneous information consisting of updates from other open tabs (with the advent of AJAX it is surprising how much is actually happening on each web page open in a browser).

Once Paros is running, the next step is to set up the browser to utilize Paros as a proxy. Paros, by default, listens on port 8080 for proxy connections. This article demonstrates how to configure Firefox to utilize Paros as a proxy. To do this first open the 'Tools' menu and select 'Options'. Next click on the 'Advanced' icon and select the 'Network' tab:

Next click on the 'Settings' button in the 'Connection' frame. This will bring up a new window titled 'Connection Settings'. In the new window select 'Manual proxy configuration' and set the proxy to 'localhost' on port 8080:

Click 'OK' to close all the windows.

Before starting it is important to clear any current sessions in Paros. To do this select File -> New Session and discard the current session.

Now notice that whenever a new website is requested Paros' blank interface will begin to fill up with information. To demonstrate try browsing to a new page. This article demonstrates browsing to the URL Null Byte.

Paros catches the page request and response, as well as the advertisement requests. It is possible to expand the folders under 'Sites' to look at the page request to Null Byte and see that Paros has even identified the images that were included in the request:

Let's Try Capturing Form Login Request

The aim of this is to get you familiar with the way Paros works. You can analyse, resend, capture data with Paros hence making pentesting or web-hacking very easy ... I will try to log into Null-Byte to demonstrate how Paros captures requests along side with data ...

Am done .... Now let's see how Paros captured my login request ...

Hmm, Very nice ...: Pardon Me: The white spaces were to cover my username and passwords .....

You can clearly see the form post, including the form variables that were submitted. Let's say we want to re-submit the form but try some other values. To do this we don't even need to leave Paros. One can simply right click the 'POST' row in the bottom frame and select 'Resend':

Selecting this option brings up a new box that summarizes all the data that is going to be sent on the form submission. The nice thing about this summary data is that it can be manipulated before we send it. Just for fun, let's try and insert some single quotes and SQL comments to see if we can accomplish a SQL injection attack. We'll change the POST URl and see what happens.

After hitting Send : This is our response ...

Using Paros we can examine cookies, form fields and other data, and modify that data on the fly and resubmit it. This is wonderful for doing things like testing for XSS or SQL injection vulnerabilities in hard to reach areas of HTTP communications like cookies or HTTP headers.

Other Functionality

Paros also has a wealth of other functionality. By right clicking a site you can select 'Spider' and have Paros crawl the entire site and examine the various URLs available from the home page. This is a wonderful way to start an evaluation because it allows you to click through a site structure and identify directories and requests via the Paros interface.

Paros can also perform some basic auditing of a target website. In order to perform some testing, click the 'Analyse' menu and select the 'Scan' option.

Once the scan is complete you can see scan results in the 'Alerts' tab at the bottom of Paros. It has been my experience that Paros' scanning ability isn't very strong and it tends not to identify very much of interest or value, but it's nice to know it is there.

Paros can also save and reload sessions. This is a great tool if you need to do exploration at one point then later do analysis, or if you want to compare two scan sessions. Paros also allows you to save all the reports it produces for later examination or inclusion in a broader analysis report.

Conclusion

Paros is a wonderful tool and should definitely be familiar to any web application security professional. However, Paros capabilities extend beyond security and argue for it's use by web developers as well. Paros can easily mangle requests, but it also does a wonderful job of inspecting HTTP traffic and identifying problems. Paros is an excellent tool for tracking down the cause of a web server infinite redirect loop, or a cookie misconfiguration, or other elusive problem that can drive you mad if you're only armed with a web browser. Of course, the same ease with which Paros can examine and manipulate legitimate traffic allows penetration testers to use Paros to manipulate traffic in malicious ways. Paros is a great tool for blind penetration testing or developing proof of concept web application exploits.

Paros' cross platform nature also argues for its value. Learning to use Paros doesn't tie you to any particular operating system or platform. Paros can be used in conjunction with any browser, and works great along with Firefox and plugins like Tamper Data (here) or web developer (here). Overall I find Paros is one of those easy tools I reach for more often over time and I think it would make a valuable addition to any web developer or application testers arsenal.

Now to sum every thing up: Lets Get Evil

Incase we wanted to steal a victim's traffic,data or in all let our victim's browsing request pass through our computer before getting the internet and vice versa ...

We Need Physical Access To The Victim Computer and Do the trick we performed in Firefox by allowing our data pass through localhost using port 8080 ...

Traffic data will pass through our computer should a trick like this be performed in the victim computer.
I don't know for Chrome but i always use Mozilla and has always been my friend.

Ok Guys, As the saying goes: For Education Purpose: Please Calm and Hack the planet ....
Please correct me if i misjudged, mistyped or anything that needs correction.
Yo, My Waist but all the same ... Peace-out : ./logout

Have A Nice Day

#Sky

2 Responses

Thanks, and for chrome, well the proxy settings in Internet Explorer will be used in chrome as well.

Welcome and yeah ... I found that out ...
So i guess: We can all pentest with all browsers.

#Sky

Share Your Thoughts

  • Hot
  • Active