Paros v3.2.0Alpha was released on 10 Nov 2004.

-    Almost 90% completely rewrite of all codes!!!

-    Improved connectivity.  Better HTTP/1.1 keep alive support.

-    Improved authentication support
    .    support proxy authentication.  Basic and NTLM should be supported.
    .    support individual server authentication.

-    Improved session saving
    .    the sites hierarchy and history can be restored from session file.
    .    better performance by use of inline DB.
    .    support large sites testing both in scanning and spidering.

-    Better extensibility by supporting extensions and plugins

-    New extension design
    .    used for adding functions to core program
    .    to be further polished in final release

-    New plugin features
    .    each plugin represent a test
    .    support knowledge base for plugins sharing
    .    support dependency check.
    .    customer plugins can be created by inheriting different AbstractPluginXXX class.
    .    to be further polished in final release
-    New spider:
    .    URL crawling and form crawling. Forms will fill the options values with limited combinations.
    .    with configurable options.
    .    support start/stop/resume
    .    estimated % complete

-    New scanner:
    .    with configurable options
    .    with multiple hosts/threads
    .    support    stopping individual hosts.
    .    generated alerts can be viewed while scanning.

-    New filters:
    .    custom filter can be added by dropping into filter directory by using Filter interface.

-    New application logging support in log directory.

-    Improved user interface.
    .    Click on tab to maximize working panel.
    .    Support image viewing.

-    Support use of Ant (1.6.2) build.xml

-    Change of copyright owner to parent company.

Paros v3.1.3 was released on 23 Aug 2004.

New Features:

• Allow to run the scanner on a paticular request shown in the lower URL list (select the request on the URL list, right-click and choose 'Scan Selected Node/Item')
  
• Allow to re-send a paticular request shown in the lower URL list (select the request on the URL list, right-click and choose 'Re-send'). Check the correctness of the information such as the port before sending it out.
  
• Allow to craft a request by clicking the menu "Tools" => "Send HTTP(S) Requests"
  
• In the filter DetectUnsafeContent, add new IE vulnerability check, and improve ms-its checks and speed of other checks .
  

Bug Fixes:

• Fix a problem in handling the wildcard '*' when using IP addresses like a.b.* for bypassing the proxy
  

Paros v3.1.2 was released on 19 Apr 2004.

New Features:

• Add DetectUnsafeContent filter.  If this filter is enabled, it shows all unsafe content like ActiveX control, malicious vbscript, content type,  IE vulnerability exploit at runtime in the Output Window. 
  
• Allow to clear URLs by right-clicking the 'Clear all' option at the lower URL list
  
• Allow to clear all windows by clicking Menu=>Clear Current Session, or F3 key
  

Paros v3.1.1 was released on 22 Mar 2004.

New Features:

• add URL encoder/decoder in "Tools|Hash/Encoding..."
• improve performance in reading HTTP header
  
• add a 'Comment' panel in Log Analyzer to show comments
  
• add a 'Script' panel in Log Analyzer to show scripts
  
• add two filters 'ReplaceRequestHeader' and 'ReplaceRequestBody' to replace text in HTTP requests
• rename cookietampering to CRLFInjection to better describe the scanner test case
  

Bug Fixes:

• solved a bug that SQL scanner checks may use the tampered/modified query string for scanning
• solved a bug that the report may be generated before the last scan thread ends.
• modified 'CookieDetectFilter' filter to handle mutiple Set-Cookie lines in header.
  

Paros v3.1 was released on 24 Jan 2004.

New Features:

• revamp correlated request and response logs by using a list.  By clicking the 'URL' list, the corresponding request and response will be displayed.
• add advanced log viewer (under menu 'Session') which allow easy browsing and filtering of log. Offline scan supported.
• log all request and response into flat file (session_request.log and session_response.log in 'project' directory)
• generate scanning report in HTML format with risk ranking, description and solutions.  Reliability is indicated as warning or suspicious.
• support scanning stop (under menu Tree => Scan Stop).
• support modifying the number of scanner threads in Options
  
• added the following scanner checks:
• SSL Cipher suite check
• Cookie tampering check (CRLF injection)
• Buffer overflow check
• Session ID potential exposure in referer
• Session ID locate (informational only)
• Set-cookie check (informational only)
• Server header capture (informational only)
• Platform disclosure in comment check (informational only)
• WebDAV check in HttpMethods

Bug Fixes:

• solved an occasional infinite loop problem when HTTP 1.1 chunked encoding is in use.
• solved a rare case in which the scanning analyser consumes too much CPU time.
• solved bugs that cause the scanner skips the tree crawled by the spider.
  

Paros v3.0.3 was released on 17 Dec.

New Features:

• added new checks for WebLogic (8.1) example files.
• added new checks for cache and private IP exposure.
• added new checks for parameter tampering.
• improved sql injection check on MS SQL. More blind injection checks added.
• follow redirected response in scanning.
• reduced scanning thread to 5 to ease bandwidth requirement.

Bug Fixes:

• fixed a bug that may display the wrong test query when a sql injection vulnerability is found.
• fixed a problem that the scanner may stop running when scanning those URLs crawled by spider.
• fixed a bug in filters LogGetQuery and LogPostQuery

Paros v3.0.2c was released on 22 Nov.

• Fixed a bug during conversion of 0x0D to 0x0D0x0A in JTextArea. This bug may affect the result of certain HTTP header modifications.
• Enhanced to support some non-standard URIs (with special characters not defined in RFC) used by some web sites which may stop the proxy accessing those web pages.

Paros v3.0.2b was released on 27 Oct.

• Fixed a major problem of intercepting HTTP when proxy chaining is used.

No new features was added.

Paros v3.0.2 was released on 20 Oct.

• Improved SQL injection check
• Added default file check for JRUN
• Added default files check for IIS 4, IIS 5 and IIS 6
• Added default files check for ColdFusion
• Added "ReplaceResponseHeader" filter to automatically change pattern in response header
• Added "ReplaceResponseBody" filter to automatically change pattern in response body
• Fixed a problem for default file check with "Scan All" function

For the two new filters (ReplaceResponseHeader and ReplaceResponseBody), you should click on the filter name under the "Functions" column of Filters panel and set the pattern. You can input Java regular expression for the pattern field.

E.g. you can replace the "Set-cookie" line of response header by setting the pattern field as "Set-cookie: id=\S*" and replace with "Set-cookie: id=abcde".

Paros v3.0.1 was released on 1 Sep.

• Fix and improve the Cross-site script check when handling URL parameters.
• Fix and improve the tunneling problem (a feature not yet documented) in command line.
• Add SQL injection check.

For some users, there may be a connection problem when "HTTP 1.1 through proxy" is enabled in the browser. We think this is a problem with the Java JSSE package. If you encounter any page corruption under SSL, simply turn off "Use HTTP 1.1 under proxy connections" in your browser. There is no difference except little performance degrade.

Paros v3.0 was released under the Clarified Artistic License (an open source GPL-compatible license) while all previous versions (v2.x) is close source.

Paros v2.2 was released on 30 Jun 2003 with the following new functions:

• Support HTTP 1.1 connections
• Spider feature added
• Allow scanning for cross-site scripting (XSS) vulnerability on the selected website after navigation
• Allow removal of websites from the Tree view

Paros v2.1 was released on 24 Apr 2003 with the following functions:

• support client certificate (Menu => Tools => Enable Client Cert.)
• a few vulnerability checks added and the scanner engine improved
• 2 more filters added to record GET/POST queries
• hash function and base64 conversion added (Menu => Tools => Hash/Encoding)
• Search text feature (click on the text area, press Ctrl+F or Menu => Edit => Find)

Compared with Paros v2.0, it takes longer to start Paros v2.1 as more Java classes are initialized at startup. We'll try to improve it in later versions.

Basically, Paros v2.0 has the following functions:

• Trap function - trap and modify HTTP(and HTTPS) requests/responses manually
• Filter function - detect and alert you patterns in HTTP messages for manipulation
• Scan function - scan for common vulnerabilities such as directory indexable.
• Options - set the options, such as setting another proxy server to bypass firewall
• Logs - allow you to view and examine all HTTP request/response content

Compared with Paros v1.0, Paros v2.0 has the following enhancements:

• Improved outlook
• Rewrited core engine and structure for better performance
• Enhanced Trap functionality, which can view/modify POST parameters in table form
• Added Filter functionality
• Added Scanner functionality
• Easy configuration - "Options" tag in XML format was added.
• URLs, requests and responses are logged during website navigation.

  Here shows the screenshot of Paros:

  

   

All the HTTP and HTTPS data passing through Paros can be trapped and modified as you like.

1. Trap Request

Just turn on the "Trap Request" check box in the "Trap" tag and all requests will then be trapped. You can modify the content in the Header/Body text area and click "Continue" button to proceed.

Note that there is a button "Tabular View" at the right bottom corner. This button will be enabled if the check box "Trap Request" is on and there is some text in "Body" text area. It is used to convert the HTTP POST request to table form for your editing. Here shows an example:

After clicked the button, the following form will be shown and you can edit the parameters more easily:

After parameter modification, you can just click the "Original View" button and go back to the previous screen with updated data.

2. Trap Response

Just turn on the "Trap Response" check box in the "Trap" tag and all response will then be trapped. You can modify the content in the Header/Body text area and click "Continue" button to proceed.

Note that the "Tabular View" button here is useless.

The "Filters" tag here is to show all the filters in the Paros program. The use of filters is to detect and alert you the occurrence of certain pre-defined patterns in HTTP message. So, you do not need to trap every HTTP message and seek for the pattern you want.

But, as this functionality is new in Paros v2.0, we only created one filter which can detect the occurrence of "Set-cookie" header field in HTTP response. In the future, we may allow filters to be plugged into the program.

The CookeFilter is disabled by default. If you want to be alerted for any "Set-Cookie" attempt, goto "Filters" tag to turn it on. Once it is turned on, a window will pop up if there exists a "Set-Cookie" field in HTTP response, just as follows:

The scanner functionality is to scan the server based on the website hierarchy (the tree on the left panel). It can check if there is any server misconfiguration.

We added this functionality in Paros because we found that certain URL paths cannot be found and examined by the crawler engine of web scanners automatically. For example, some URL paths can only be shown after valid logon. Automatic web scanner may not be able to find out the paths and check if there exists any backup files (.bak) which could reveal server information.

In order to use this function, you need to navigate the website first. After you navigated the website, a website hierarchy tree would be built by Paros automatically. Then you can do the following things:

• If you want to scan all websites on the tree, you can then click on the menu item "Scan"->"Scan All" to trigger the scanning.
• If you just want to scan one website on the tree, you can click on that site in the tree panel and click menu item "Scan"->"Scan selected".

Currently, there are three basic server configuration checks:

• HTTP PUT allowed - check if the PUT option is enabled at server directories
• Directory indexable - check if the server directories can be browsable.
• Obsolete files existed - check if there exists obsolete files at the server

 More server checks will be added later on.

You can modify the default setting of Paros on the "Options" tag. All options are displayed and stored in XML format. The following shows how to set the options:

<Options>
<ProxyServer>
<!-- IP address of this proxy. Use localhost or 127.0.0.1 -->
<IP>127.0.0.1</IP>
<!-- Proxy port of listen by this proxy. Config browser to point to this -->
<Port>8080</Port>
<!-- internal SSL proxy port used by this proxy -->
<SSL>8443</SSL>
</ProxyServer>

<ProxyChain>
<!-- left "Name" blank if no proxy chain to use, or fill in your proxy server for internet access -->
<Name></Name>
<!-- set to the port of your proxy server -->
<Port>8080</Port>
<!-- set the IP addresses to bypass/skip the proxy server defined above. e.g., <skip>127.*;*.abc.com </skip> -->
<Skip></Skip>
</ProxyChain>

</Options>

All the HTTP requests and responses now can be logged when they pass through Paros. You can view back the requests/responses using the "Requests" and "Response" log panels.