Website Scanning Tool PAROS Proxy (v3.2.13) installation and use summary

1. Installation
(1) Installing the JRE

L First ensure that the JRE is installed [Java Run time enviroment (JRE) 1.4 (or above)]

Note: Be sure to install the JRE first, and then install PAROS proxy, if you install Paros proxyr after installing Jre,paros proxy will not start.
If there is no JRE, you can download and install it at the following address:http://java.sun.com/j2se If the JRE is not found, the same version of JDK,JDK can be downloaded with the JRE.

(2) Installing and configuring the PAROS proxy application

L:http://sourceforge.net/projects/paros/

L Installation:

If you are downloading a version of Windows, the installation is simple.
If you are downloading a UNIX or other platform version, you will need to manually extract the program to a new directory and click. Jar file to run the program.
L Configuration:

The PAROS requires two ports: 8080 and 8443, where 8080 is the proxy connection port and 8443 is the SSL port, so you must ensure that the two ports are not occupied by other programs. (View Port command: Open the DOS command window and enter Netstat to view the ports currently in use). If an initialization error occurs when the application is started when the installation is complete, it is likely that the port is occupied by other programs.
Configure browser properties: Open browser (IE), open tools-options-connect-lan settings-Check proxy server,proxyname: localhost,port: 8080
2. Operation procedure
L First step: Open Paros Proxy and open the tested site in the browser (IE).

L Second step--spider: Crawl URL.

? After the first step, the URL of the first layer in the URL hierarchy tree is automatically crawled by the test site, and the URLs are displayed in the "Site" column on the left, and a URL is selected in the Site column. Right-click the mouse to select the Spider command or click the Analyse menu-spider command, the system will crawl the URL in the next level of the URL hierarchy tree.

? Note: Because PAROS can not crawl some specific URL path, such as some URL links need to be legitimate login to be recognized, so in the URL crawl, you must first login to the site.

? The crawl function cannot handle the following situations:

URLs for SSL sites with illegal authentication cannot be crawled.
Multithreading is not supported
Some malformed URLs in the HTML page are also not recognized.
URLs generated by JAVASCRĪPT are also not recognized.
Although these URLs cannot be crawled automatically, they can be manually added to the "Site" column on the left, with the following methods:
The first thing to be tested site URL of the hierarchy tree has a good understanding, so as to know which URL crawled, which has not been crawled.
For URLs that have not been crawled, by opening the paros-tool-manual request Editor, entering the URLs that have not been crawled, then clicking the Send button, completing the manual Add URLs action, and adding the successful URLs will appear in the "Site" column on the left.
L Third Step--scanner: Scan the URLs in the "Site" column, check each URLs separately for security checks, and verify that there are security vulnerabilities.

? If you want to scan all URLs in the "Site" column, click Anaylse-scan All to start all scans.

? If you only want to scan a URL in the "Site" column, select the URL, right-click, and select the Scan command.

? Scanner can be checked for the following situations:

§sql Injection

§ Cross-site scripting attacks

§ Directory Traversal

§crlf--Carriage-return line-feed return to line and so on.

Note: The security check can be set by Anylse-scan policy.

L Fourth-View and verify scan results:

? When the scan is complete, click Report-last Scan Report to view the current scan reports.

? According to the scan report, the scan results are verified, such as one of the scan results is a URL passed in the parameters of the SQL injection vulnerability, we will enter the URL and parameters into the address bar, verify the results.

L Fifth-Save crawl, scan content.

?     Save should be noted: The saved path does not support special characters, such as Chinese characters, or will not open the saved file.