Sunday, November 20, 2011

Paros Web Proxy

As this semester wraps up at both universities I found myself rapidly trying to grade papers as well as complete my own projects. One of the projects I needed to complete was a network and web security course at DSU. I used nikto in a previous post to discuss the use of the software in vulnerability assessment.

I have used proxy software in the past, but never in the capacity of vulnerability assessment. Now the project was to break a PHP script and gain remote access. This actually turned out to be more simplistic than I anticipated, but what was surprising was how useful the paros proxy software was in accomplishing that particular goal.

The software is designed to allow you to see all the GET and POST messages, content, delivery of regular web traffic between your host and the remote server. It has two nifty features though; cookie storage and spider crawl. I used the spider functionality to grab the listing of html the did a directory grep for *.php to find my script call. This saved hours of time looking though the site and really let me get to the heart of the assignment.

Paros should be added to any suite of network vulnerability tools for use in pen testing. I highly recommend it.