If you understand how a particular Web site works, you can gain essential clues to securing it. Paros is a tool designed to show exactly how users interact with a Web site and how attackers could exploit it.
Paros uncovers the behind-the-scenes communication between your Web browser and a Web site and stores the data for analysis. It's actually a proxy server that you install on your client computer and then configure so that your Web browser connects to it when making Web requests. In turn, Paros connects to the target Web server. In its position between the client computer and the target Web server, Paros can collect all sorts of useful information from the target Web site and present it to you for analysis.
Installing Paros
Paros is a freeware Java application with versions for Windows and UNIX (including Mac OS X). Before you download Paros, make sure you have Sun Microsystems' Java Runtime Environment (JRE) 1.4.2 or later. Visit the Java Web site, where you can verify that you have the latest version or download it (http://www.java.com/en/download/index.jsp).
After you install the JRE, you can download the latest version of the Paros application and the short Paros user guide from the Paros Web site (http://www.parosproxy.org). Installation is straightforward. The Paros application is a Java Archive (JAR) file but comes with a shortcut in your Windows\Program Files\Paros folder to launch the program. On UNIX systems, navigate to the folder in which you extracted the Paros .zip file and execute the startserver.sh script. If successful, you'll see the Paros application start up in its own window as a standalone Java application.
Next, configure your Web browser to make a proxy connection to the Paros server. By default, Paros accepts network connections on local host TCP port 8080. You can change either the server you wish to connect to or the connection port in Paros by selecting Tools, Options, Local proxy.
When you view a Web page in a browser you've configured for Paros, you should be able to see data about that Web site in the Paros application UI. After you've collected data about a site, you can save it and later open it as a previous session. Let's walk through the panes in the Paros UI and talk about what they indicate, using a visit to the Windows IT Pro Web site as an example.
Navigating the Paros Interface
Figure 1 shows the functional Paros interface, which has three panes plus additional tools available from its menu. The upper left Sites pane shows a hierarchical view of all the Web sites accessed based on the URL I entered. The Sites pane in Figure 1 shows the Web site I visited, http://www.windowsitpro.com, as well as six other Web sites my browser talked to during that visit. This result is common for Web sites that use advertising because ads are typically served from third-party Web sites.
The pane that spans the bottom of the Paros interface presents the history, the results of a spider crawl, or noted vulnerability alerts, depending on which button you click. In Figure 1, the lower pane displays the chronological history of URLs visited as a result of a single request to http:// www.windowsitpro.com as well as the response returned by the Web server. The Windows IT Pro Web page is listed first, followed by a request for the Cascading Style Sheets (CSS) file and then the advertiser sites.
If you click an entry in the Sites or History pane, you can see the actual request or response displayed in the upper right pane. You can also use the Trap tab in this pane to halt on every request (or response) so that you can modify the actual request after it's left your browser. For example, you could test whether the server validates data by entering data in the requested, "good," format on the target Web site and then changing it to a "bad" format in Paros. If the Web server accepts the bad data as good, then you've discovered a possible vulnerability.
The Request and Response tabs in the upper right pane show the actual data being sent to or from the site. For example, in the Request view, you can see the actual HTTP GET string used to call the Web site data, as well as related data such as the Agent string (i.e., the type of Web browser you're using), referring URL, and even cookie data. Click the Response tab, and you'll be able to see data similar to what Figure 1 shows in the upper right pane, which the Web server sends back to the client. This includes HTML source code and images as well as metadata such as page expiration, how or whether the page should be cached, and whether a cookie was set or read.
Whether you're new to auditing Web sites or a veteran, it's informative to use Paros to visit a few Web sites to see what it tells you about how they really work. As you become more familiar with Paros, you can use its more advanced features to begin to assess a Web site's security.
Using Advanced Features in Paros
Paros not only captures and displays your entire interaction with a Web site, it also saves the source code and images of the target Web site. As a security administrator, you might want to manually review this data to assess your Web site and identify security vulnerabilities. For example, you might discover hidden fields in forms and use Paros to test whether your site validates fields properly. You can also instruct Paros to automate a few well-known assessment techniques:
Search. Paros includes robust searching capabilities that let you use regular expressions to find text patterns in a Paros session. Paros also includes useful search samples for tasks such as finding cookie requests, banner requests, or page posts. Figure 2 shows how I used a sample pattern to find cookie requests. You can use Paros to look for hidden fields or search for comments that should have been stripped out during development.
Spider. You can "spider" a site to quickly fetch all of its data by asking Paros to recursively visit every link it finds and even attempt to submit forms. This feature helps find links or page references that might not be visible upon a more casual inspection.
Scan. To help automate Web site testing, Paros includes a customizable Scan feature, which you can configure to look for specific security-related vulnerabilities and other useful information. For example, the scan feature can look for obsolete files, check for any leaking of private IP addresses and disclosure of session IDs in URLs, and check whether sample or default pages and configurations remain on the target Web server. A scan can also help identify the potential for common-Web attacks such as SQL injection or cross-site scripting attacks. Expand the Analyse menu to access the Scan capabilities, then select Scan Policy to enable or disable the various checks.
After you've configured your scan policy, highlight the Web site in either the Sites or History pane, and click Analyse, Scan to begin the scan. Paros will audit the site, then show problems categorized as high, medium, or low severity.
Filters. During an audit, you might want to replace regular request or response data with your own data. For example, you might want to test a locally changed page by changing your user agent or replacing a Fully Qualified Domain Name (FQDN) server name with the IP address of your own client. Within Paros, select Filter from the Tools menu and enable and define the filters you want. Any requests or responses passing through Paros will be altered depending on how you've configured these filters.
Recovering Your Browser
When you've completed your auditing, you'll want to close Paros and remove the proxy configuration from your Web browser because it slows the browser down. Thanks to Paros's middleman position between your Web browser and a target Web site, coupled with its analytical capabilities that let you view and tweak Web requests and responses on the fly, Paros is a tool that will earn its place in your IT security toolbox.
