Monday, June 25, 2007

Paros Proxy: Step-by-Step Guide (Automated Security Assessment)

In continuation to the last post, here is a hands-on with Paros proxy. As already mentioned, it is a great tool for first-cut assessment of web-applications’ security. Configure the proxy settings of web browser, visit few web pages of the test site to create a seed for crawler to start from, spider and finally scan. That’s it! Within 15 minutes (since launch of the application) you will be having a vulnerabilities list from where you can start a further, in-depth assessment.

Step 1:

Check the Proxy settings of Paros from Tools>Options



Local proxy is the setting which you will configure on the web-browser. By default, Paros uses localhost as proxy address and 8080 as the port.
Under Connection settings you configure the address and port number for your corporate/ISP proxy. In case you are not behind a proxy server, leave it remain unchecked (default setting). Additionally, you can bypass certain addresses and configure proxy authentication details also.





Step 2:

Next, open the proxy settings configuration box of your web browser and configure proxy server address and port number i.e. Paros settings.

Step 3:

Next, open the web-site you want to assess.

And access (crawl) some of the URLs manually, so that Paros get a seed to start crawling.





Step 4:


Once seed has been generated in Paros, highlight the web-site, right-click and select Spider.



This will start the auto crawling function.
Step 5:


Now select Analyze>Scan policy from the top-menu.
And select the Vulnerabilities you want to scan for. Notice, that it has almost all the OWASP top 10 vulnerabilities.
Step 6:

Once scan policy is defined, you can start the scan for one or more (all) web-sites visible under Sites pane.





Once the scan process is completed, you can view the results with test data in Alerts window (Bottom).

Step 7:

Now, you can generate a detailed report on findings from Report> Last Scan Report





Assessment report will have Vulnerability description, exact instances (URL & affected parameters), recommended solution and relevant references.

I hope the post was informative for you and within a short time span you will also be able to perform your first Automated Web-Application vulnerability scan.

2 comments:

Nirmala HariOm said...

Very good explaination for first time users..

Unknown said...

Nice...very Nice....Thank you
But my suggestion is that as you are already familiar with this tool can you please explain in detail so that it will helpful to everyone.