The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers
«
»

Paros Proxy | TestingSecurity.com

Posted by jpluimers on 2012/07/18

On the research list as it seems a lot wider than HTTP Fiddler:

Paros Proxy

Paros is a valuable testing tool for your security and vulnerability testing. Paros can be used to spider/crawl your entire site, and then execute canned vulnerability scanner tests. But Paros goes beyond that, it comes with a built in utility that can proxy traffic. This Paros Proxy utility can be used to tamper or manipulate any http or https traffic on the fly. This makes some of the more interesting security types of testing. It will help you isolate potential area’s of security concern and then manual attempt to perform the type of testing you desire.

Paros Proxy

Paros also comes with a built in Session ID analyzer. It will display a graph of all the types of Session ID’s it has been presented with using a multiple threaded session initiator. You then can determine if the graph appears random enough for the Session ID. It is a pretty unique and interesting tool to use. Although typically most developers will rely upon another technology tomcat, apache, or some other application to generate Session ID’s. This is not always the case and as such a Session ID analysis should be performed. Sometimes the Session ID will not be randomized enough and the hash used to create the Session ID is easily predictable.

Paros also comes with a built in Fuzzer. You will need to generate your own Fuzzer library to use the Fuzzer, but it will perform all the fuzzing for you.

–jeroen

via: Paros Proxy | TestingSecurity.com.

This entry was posted on 2012/07/18 at 06:00 and is filed under Development, HTML, Java, Scripting, SOAP/WebServices, Software Development, Web Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Paros Proxy | TestingSecurity.com”

  1. psiinon's avatar

    psiinon said

    2012/07/19 at 13:39

    Paros hasnt actually been updated since 2006, which is a very long time in security terms.
    You’d be much better off having a look at the OWASP Zed Attack Proxy (ZAP): https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
    ZAP is a fork of Paros, is actively maintained and now has many more features than Paros ever did.

    Psiinon (ZAP Project Lead)

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»