1, installation
(1) Install JRE
L First ensure that the JRE is installed [Java Run time enviroment (JRE) 1.4 (or above)]
Note: It is important to install the JRE before installing PAROS proxy, and installing Jre,paros proxy after installing PAROS proxyr will not start.
L If there is no JRE, it can be downloaded and installed at the following address: Http://java.sun.com/j2se If the JRE is not found, the same version of JDK,JDK can be downloaded with the JRE.
(2) Installing and configuring the PAROS proxy application
L Download Address: http://sourceforge.net/projects/paros/
L Installation:
If you are downloading a version of Windows, it is easier to install.
If you are downloading a version of Unix or another platform, you will need to manually extract the program to a new directory and click. The jar file runs the program.
L Configuration:
Paros requires two ports: 8080 and 8443, where 8080 is a proxy connection port and 8443 is an SSL port, you must ensure that these two ports are not occupied by other programs. (View Port command: Open the DOS command window and enter Netstat to view the currently used port). If an initialization error occurs when the application is started when the installation is complete, it is likely that the port is occupied by another program.
Configure browser properties: Open browser (IE), open tools-Options-Connection-lan Settings-select proxy server,proxyname: localhost,port: 8080
2. Operation Steps
The first step: Open Paros Proxy and open the tested Web site in the browser (IE).
L Second step--spider: Crawl URL.
Ø after the first step, the system will automatically crawl the URL of the test site at the first level in the URL hierarchy tree and display the URLs in the "Site" column on the left, and then select a URL in the site column. Right-click to select the Spider command or click the Analyse menu-spider command, the system will crawl the URL at the next level of the URL hierarchy tree.
Ø Note: Because PAROS can not crawl some specific URL path, such as some URL links need to be in the legal login can be recognized, so in the URL crawl, must first log on to the site.
Ø The crawl function cannot handle the following situations:
The URL of an SSL site with an illegal authentication cannot be crawled.
Multithreading is not supported
Some malformed URLs in an HTML page are also unrecognized.
URLs generated by JAVASCRĪPT are also not recognized.
Although these URLs cannot be automatically crawled, they can be manually added to the "Site" column on the left, and the specific actions are:
The first to be tested site URL hierarchy tree has a good understanding, so as to know which URL crawl, which has not been crawled.
For URLs that are not crawled, enter the URLs that are not crawled by opening the paros-tool-manual request Editor, and then click the Send button to complete the manual add URLs action, and the URLs that are successful will appear in the "Site" column on the left.
Third Step--scanner: Scan for URLs in the "Site" column, check each URL separately for security checks to verify that there are any vulnerabilities.
Ø If you want to scan all URLs in the "Site" field, click Anaylse-scan All to start a full scan.
Ø If you only want to scan a URL in the site bar, select the URL, right-click, and select Scan command.
Øscanner can check for the following:
§sql Injection
§ Cross-site scripting attacks
§ Directory Traversal
§crlf--Carriage-return line-feed carriage return line and so on.
Note: The security check can be set up through Anylse-scan policy.
Step fourth-View and verify scan results:
Ø after the scan is complete, click the Report-last Scan report to view the current scan reports.
Ø According to the scan report, the scan results are validated, such as one of the scan results in the URL passed the parameters of the SQL injection vulnerability, we will enter the URL and parameters into the address bar, verify the results.
Fifth Step-Save crawl, scan content.
Ø Save should note: Save the path does not support special characters, such as Chinese characters, or will not open the saved file.