|
This page only gives you a brief description of
Paros features. For detail description, you can download the user guide
from Paros Download.
|
|
|
|
|
Paros v3.2.0Alpha was released on 10 Nov 2004.
- Almost 90% completely rewrite
of all codes!!!
- Improved connectivity.
Better HTTP/1.1 keep alive support.
- Improved authentication support
. support proxy
authentication. Basic and NTLM should be supported.
. support individual server
authentication.
- Improved session saving
. the sites hierarchy and history
can be restored from session file.
. better performance by use of
inline DB.
. support large sites testing both
in scanning and spidering.
- Better extensibility by
supporting extensions and plugins
- New extension design
. used for adding functions to
core program
. to be further polished in final
release
- New plugin features
. each plugin represent a test
. support knowledge base for
plugins sharing
. support dependency check.
. customer plugins can be created
by inheriting different AbstractPluginXXX class.
. to be further polished in final
release
- New spider:
. URL crawling and form crawling.
Forms will fill the options values with limited combinations.
. with configurable options.
. support start/stop/resume
. estimated % complete
- New scanner:
. with configurable options
. with multiple hosts/threads
. support
stopping individual hosts.
. generated alerts can be viewed
while scanning.
- New filters:
. custom filter can be added by
dropping into filter directory by using Filter interface.
- New application logging
support in log directory.
- Improved user interface.
. Click on tab to maximize working
panel.
. Support image viewing.
- Support use of Ant (1.6.2)
build.xml
- Change of copyright owner to
parent company.
|
|
|
|
|
|
Paros v3.1.3 was released on 23 Aug 2004.
New Features:
- Allow to run the scanner on a paticular request
shown in the lower URL list (select the request on the URL list,
right-click and choose 'Scan Selected Node/Item')
- Allow to re-send a paticular request shown in
the lower URL list (select the request on the URL list, right-click and
choose 'Re-send'). Check the correctness of the information such as the
port before sending it out.
- Allow to craft a request by clicking the menu
"Tools" => "Send HTTP(S) Requests"
- In the filter DetectUnsafeContent, add new IE
vulnerability check, and improve ms-its checks and speed of other
checks .
Bug Fixes:
- Fix a problem in handling the wildcard '*' when
using IP addresses like a.b.* for bypassing the proxy
|
|
|
|
|
|
Paros v3.1.2 was released on 19 Apr 2004.
New Features:
- Add DetectUnsafeContent filter. If this
filter is enabled, it shows all unsafe content like ActiveX control,
malicious vbscript, content type, IE vulnerability exploit at
runtime in the Output Window.
- Allow to clear URLs by right-clicking the
'Clear all' option at the lower URL list
- Allow to clear all windows by clicking
Menu=>Clear Current Session, or F3 key
|
|
|
|
|
|
Paros v3.1.1 was released on 22 Mar 2004.
New Features:
- add URL encoder/decoder in
"Tools|Hash/Encoding..."
- improve performance in reading HTTP header
- add a 'Comment' panel in Log Analyzer to show
comments
- add a 'Script' panel in Log Analyzer to show
scripts
- add two filters 'ReplaceRequestHeader' and
'ReplaceRequestBody' to replace text in HTTP requests
- rename cookietampering to CRLFInjection to
better describe the scanner test case
Bug Fixes:
- solved a bug that SQL scanner checks may use
the tampered/modified query string for scanning
- solved a bug that the report may be generated
before the last scan thread ends.
- modified 'CookieDetectFilter' filter to handle
mutiple Set-Cookie lines in header.
|
|
|
|
|
|
Paros v3.1 was released on 24 Jan 2004.
New Features:
- revamp correlated request and response logs by
using a list. By clicking the 'URL' list, the corresponding
request and response will be displayed.
- add advanced log viewer (under menu 'Session')
which allow easy browsing and filtering of log. Offline scan supported.
- log all request and response into flat file
(session_request.log and session_response.log in 'project' directory)
- generate scanning report in HTML format with
risk ranking, description and solutions. Reliability is indicated
as warning or suspicious.
- support scanning stop (under menu Tree =>
Scan Stop).
- support modifying the number of scanner threads
in Options
- added the following scanner checks:
- SSL Cipher suite check
- Cookie tampering check (CRLF injection)
- Buffer overflow check
- Session ID potential exposure in referer
- Session ID locate (informational only)
- Set-cookie check (informational only)
- Server header capture (informational only)
- Platform disclosure in comment check
(informational only)
- WebDAV check in HttpMethods
Bug Fixes:
- solved an occasional infinite loop problem when
HTTP 1.1 chunked encoding is in use.
- solved a rare case in which the scanning
analyser consumes too much CPU time.
- solved bugs that cause the scanner skips the
tree crawled by the spider.
|
|
|
|
|
|
Paros v3.0.3 was released on 17 Dec.
New Features:
- added new checks for WebLogic (8.1) example
files.
- added new checks for cache and private IP
exposure.
- added new checks for parameter tampering.
- improved sql injection check on MS SQL. More
blind injection checks added.
- follow redirected response in scanning.
- reduced scanning thread to 5 to ease bandwidth
requirement.
Bug Fixes:
- fixed a bug that may display the wrong test
query when a sql injection vulnerability is found.
- fixed a problem that the scanner may stop
running when scanning those URLs crawled by spider.
- fixed a bug in filters LogGetQuery and
LogPostQuery
|
|
|
|
|
Paros v3.0.2c was released on 22 Nov.
- Fixed a bug during conversion of 0x0D to
0x0D0x0A in JTextArea. This bug may affect the result of certain HTTP
header modifications.
- Enhanced to support some non-standard URIs
(with special characters not defined in RFC) used by some web sites
which may stop the proxy accessing those web pages.
|
|
|
|
|
Paros v3.0.2b was released on 27 Oct.
- Fixed a major problem of intercepting HTTP when
proxy chaining is used.
No new features was added.
|
|
|
|
|
Paros v3.0.2 was released on 20 Oct.
- Improved SQL injection check
- Added default file check for JRUN
- Added default files check for IIS 4, IIS 5 and
IIS 6
- Added default files check for ColdFusion
- Added "ReplaceResponseHeader" filter to
automatically change pattern in response header
- Added "ReplaceResponseBody" filter to
automatically change pattern in response body
- Fixed a problem for default file check with
"Scan All" function
For the two new filters (ReplaceResponseHeader and
ReplaceResponseBody), you should click on the filter name under the
"Functions" column of Filters panel and set the pattern. You can input
Java regular expression for the pattern field.
E.g. you can replace the "Set-cookie" line of
response header by setting the pattern field as "Set-cookie:
id=\S*" and replace with "Set-cookie:
id=abcde".
|
|
|
|
|
Paros v3.0.1 was released on 1 Sep.
- Fix and improve the Cross-site script check
when handling URL parameters.
- Fix and improve the tunneling problem (a
feature not yet documented) in command line.
- Add SQL injection check.
For some users, there may be a connection problem
when "HTTP 1.1 through proxy" is enabled in the browser. We think this
is a problem with the Java JSSE package. If you encounter any page
corruption under SSL, simply turn off "Use HTTP 1.1 under proxy
connections" in your browser. There is no difference except little
performance degrade.
|
|
|
|
|
Paros v3.0 was released under the Clarified
Artistic License (an open source GPL-compatible license) while all
previous versions (v2.x) is close source.
|
|
|
|
|
Paros v2.2 was released on 30 Jun 2003 with the
following new functions:
- Support HTTP 1.1 connections
- Spider feature added
- Allow scanning for cross-site scripting (XSS)
vulnerability on the selected website after navigation
- Allow removal of websites from the Tree view
|
|
|
|
|
Paros v2.1 was released on 24 Apr 2003 with the
following functions:
- support client certificate (Menu => Tools
=> Enable Client Cert.)
- a few vulnerability checks added and the
scanner engine improved
- 2 more filters added to record GET/POST queries
- hash function and base64 conversion added (Menu
=> Tools => Hash/Encoding)
- Search text feature (click on the text area,
press Ctrl+F or Menu => Edit => Find)
Compared with Paros v2.0, it takes longer to start
Paros v2.1 as more Java classes are initialized at startup. We'll try
to improve it in later versions.
|
|
|
|
|
Basically, Paros v2.0 has the following functions:
- Trap function - trap and
modify HTTP(and HTTPS) requests/responses manually
- Filter function - detect
and alert you patterns in HTTP messages for manipulation
- Scan function - scan for
common vulnerabilities such as directory indexable.
- Options - set the
options, such as setting another proxy server to bypass firewall
- Logs - allow you to view
and examine all HTTP request/response content
|
|
|
Compared with Paros v1.0, Paros v2.0 has the
following enhancements:
|
|
|
|
|
|
|
|
All the HTTP
and HTTPS data passing through Paros can be trapped and modified as you
like.
1. Trap
Request
Just turn on
the "Trap Request" check box in the "Trap" tag and all requests will
then be trapped. You can modify the content in the Header/Body text
area and click "Continue" button to proceed.
![](images/fct_trap_1.gif)
Note that there is a button "Tabular
View" at the right bottom corner. This button will be enabled if the
check box "Trap Request" is on and there is some text in "Body" text
area. It is used to convert the HTTP POST request to table form for
your editing. Here shows an example:
![](images/fct_trap_2.gif)
After clicked the button, the
following form will be shown and you can edit the parameters more
easily:
![](images/fct_trap_3.gif)
After parameter modification, you can
just click the "Original View" button and go back to the previous
screen with updated data.
2. Trap
Response
Just turn on
the "Trap Response" check box in the "Trap" tag and all response will
then be trapped. You can modify the content in the Header/Body text
area and click "Continue" button to proceed.
![](images/fct_trap_4.gif)
Note that the "Tabular View" button
here is useless.
|
|
|
|
|
|
|
|
|
|
|
The "Filters" tag here is to show all the filters
in the Paros program. The use of filters is to detect and alert you the
occurrence of certain pre-defined patterns in HTTP message. So, you do
not need to trap every HTTP message and seek for the pattern you want.
But, as this functionality is new in Paros v2.0,
we only created one filter which can detect the occurrence of
"Set-cookie" header field in HTTP response. In the future, we may allow
filters to be plugged into the program.
The CookeFilter is disabled by default. If you
want to be alerted for any "Set-Cookie" attempt, goto "Filters" tag to
turn it on. Once it is turned on, a window will pop up if there exists
a "Set-Cookie" field in HTTP response, just as follows:
![](images/fct_filter.gif)
|
|
|
|
|
|
|
|
|
|
|
The scanner functionality is to scan the server
based on the website hierarchy (the tree on the left panel). It can
check if there is any server misconfiguration.
We added this functionality in Paros because we
found that certain URL paths cannot be found and examined by the
crawler engine of web scanners automatically. For example, some URL
paths can only be shown after valid logon. Automatic web scanner may
not be able to find out the paths and check if there exists any backup
files (.bak) which could reveal server information.
In order to use this function, you need to
navigate the website first. After you
navigated the website, a website hierarchy tree would be built by Paros
automatically. Then you can do the following things:
- If you want to scan all websites on the tree,
you can then click on the menu item "Scan"->"Scan All" to trigger
the scanning.
- If you just want to scan one website on the
tree, you can click on that site in the tree panel and click menu item
"Scan"->"Scan selected".
![](images/fct_scan.gif)
Currently, there are three basic server
configuration checks:
- HTTP PUT allowed - check if the PUT option is
enabled at server directories
- Directory indexable - check if the server
directories can be browsable.
- Obsolete files existed - check if there exists
obsolete files at the server
More server checks will be added later on.
|
|
|
|
|
|
|
|
|
|
|
You can modify the default setting of Paros on the
"Options" tag. All options are displayed and stored in XML format. The
following shows how to set the options:
<Options>
<ProxyServer>
<!-- IP address of this
proxy. Use localhost or 127.0.0.1 -->
<IP>127.0.0.1</IP>
<!-- Proxy port of listen
by this proxy. Config browser to point to this -->
<Port>8080</Port>
<!--
internal SSL proxy port used by this proxy -->
<SSL>8443</SSL>
</ProxyServer>
<ProxyChain>
<!-- left "Name" blank if no proxy chain to use, or fill in your
proxy server for internet access -->
<Name></Name>
<!-- set to the port of
your proxy server -->
<Port>8080</Port>
<!-- set the IP addresses
to bypass/skip the proxy server defined above. e.g.,
<skip>127.*;*.abc.com </skip> -->
<Skip></Skip>
</ProxyChain>
</Options>
|
|
|
|
|
|
|
|
All the HTTP requests and responses now can be
logged when they pass through Paros. You can view back the
requests/responses using the "Requests" and "Response" log panels.
|
|
|
|
|