Easy-to-use tool: PAROS (website security scanning tool)

Reprinted: http://blog.163.com/hack__eye/blog/static/113558844200972804042840/

 

Now, more and more customers require websites to be accessed to provide security alerts.Previously introducedOne setRatproxyTool, it seems that it is not correct, and the results of targeted scanning are also very difficult to use because of the lack of UI. Our last website was asked for security protection, which was required by customer owners.PAROSThe scanning tool performs the scanning operation.

PAROSIt is a set of web application security assessment tools (Web Application Security Assessment Tool) completely developed in Java and released in the original form, this tool provides some basic UI for operations. It does not need to be used properly. Basically, you can perform targeted scanning in just one step.

PAROSThere are not many targeted topics, but they are the most important and most common security questions, such as XSS, SQL injection, information gathering,... and so on. However, the cause isBlack BoxTools, I think the problems that can be targeted should be limited! I personally think that "original tracing targeted" is king, but this type of tool is usually not suitable.

Start usingPAROSFollow the steps below to complete the preview and obtain the preview table:

1. PAROS tool
2. set the host or other HTTP client's proxy server. The host is the 8080 port (as shown below) of the local machine.
   
3. Start manual or operate the website (with ratproxy is a half-automatic and motion-triggered distributed method. PAROS will help you manage all website operations, including all HTTP Request/response headers, fortunately, the attacker completes the attack and analysis in the future.
4. you can set the scan policy option in the analyze Option of the PAROS tool, which of the following methods are used to select your desired website? Some common website security vulnerabilities are built here, but some of them may be invisible to you, you may not check your selection. For example, you want to modify ASP..
5. click scan all in analyze to start scanning.
6. , click last scan Report In the Report Option to obtain the last warning report.

The above 3rd steps are actually the "triggered" response method,PAROSThere is also a "auto-dynamic" spider that can help you manually capture the web site to restore the website, as long as step 1 completes the proxy server setting, when you open the browser, first retrieve the first region of the website to be accessed.PAROSFirst click the first website address, and then clickPAROSSelect the website address, click "right", and select "Spider.

Click to select after the selectionStartAfter you press upload, the web page will be crawled! Some Web applications need to be logged in, so they must perform operations through the login action first. This part cannot be automatically operated through the spider, you must also manually use the website.

The final result format of the targeted display is as follows: