Paros is one of the most popular tools for penetration testing in web applications and can be used by security specialists and developers to test the security of their application. It is written in Java and this makes it capable of running on many different operating systems.
Function proxy which includes it is very useful as it allows to control the movement to and from Browser (browser). Thus, users of the tool can control their application as to how cookies, redirects, and requests are sent by the browser to the server (server). Also, while it contains several applications for automatic testing, its value can be seen in the hands of a capable penetration tester who knows exactly what he is looking for.
How to install it
As you can imagine you'll already find it installed in the well-known distro for penetration testers, Kali Linux. For other operating systems, the installation process is quite simple. Of course, a Java Run Time Environment (JRE) version of at least 1.4 is a prerequisite.
First you need to check if your machine already has Java installed. A result like the one shown below indicates that your computer has Java installed:
|C: \ Users \ elena> java -version
java version "1.8.0_231"
Java (TM) SE Runtime Environment (build 1.8.0_231-b11)
Java HotSpot (TM) Client VM (build 25.231-b11, mixed mode)
Otherwise you can download JRE from here.
Having Java installed, download and install Paros from its official website. This will redirect you to the SourceForge.net page from which you can select the version to download. Once the file is downloaded, double-click on it and follow all the steps of the installer as shown below.
Once the installation is complete you will be able to find it in the Programs. The first time you execute it will ask you to accept the license agreement.
As we said, it is necessary to install java on the Linux machine. To check if java is installed open a terminal, type the following command, and check what came back:
|root @ kali-elena: ~ # java -version
openjdk version “11.0.5-ea” 2019-10-15
OpenJDK Runtime Environment (build 11.0.5-ea + 6-post-Debian-2)
OpenJDK 64-Bit Server VM (build 11.0.5-ea + 6-post-Debian-2, mixed mode, sharing)
If Java is not pre-installed, run the following command and then check again for the java version:
|sudo apt install default-jre
After successfully installing Java, install Paros with these two commands:
|sudo apt-get update
sudo apt-get install paros
How to use it
Below we will use Paros in a Kali Linux environment to see its different uses. We can start Paros by opening a terminal and typing Paros. For the first time, he will ask us to accept the license agreement.
After accepting the contract we will see Paros open, which consists of the following areas:
- Left Area: This area shows websites we check and the corresponding files and folders it finds from this check.
- Right Area: Here we see the requests and corresponding responses made to the website we are checking. We can modify and resubmit these requests for better application control.
- Bottom Area: Here we see the answers after the scans and crawls we perform on the "attacking" site. Contains relevant tabs history, Spider, Alerts, Output.
Now it's time to check out a web application for vulnerabilities. To do this we need to allow Paros to intercept the movement between them browser us and the application. In this case our browser is "Firefox ESR" and for this menu we will select "Preferences", then "Genaral" and then go down and press the "Settings" button in the "Network Proxy" field.
Here, we need to adjust the settings to make them look like in the picture below.
Paros intercepts traffic by listening to localhost on an 8080 door.
The web application we will use for the test is located at 192.168.141.129 and was created for this very reason.
With Paros open, we visit our site and then select "Analyze" and then "Spider" to crawl all pages of the application.
As the crawl progresses we can see its effects in the Spider tab.
Once the crawl is complete we will need to run our Scan. This can be done by selecting "Analyze" again and then "Scan".
After completing the scan we will find the application vulnerabilities in the lower area in the “Alerts” tab. We see that he has returned the following (2 high rated, 2 medium and 1 low):
Paros enables you to export the result to a report by selecting from the "Report" menu and then "Last Scan Report".
Going down the path Paros points to we will find the results of the scan we ran in report format.
At this point it is worth noting that Paros is the ancestor of the well-known tool OWASP Zed Attack Proxy (ZAP) which is maintained by the OWASP community.
How did Paros look to you? Will you use it? We look forward to your feedback.