Subtitles of the Movie

One of the last cool web-based tools that we're going to use is Paros Proxy. Now, Paros Proxy is not what you might think. It's not a proxy server that keeps you from surfing the web or block certain web requests or provides web caching. It's not like that kind of proxy server at all. What it is is a proxy that sits between you and surfing a website and what it can do is record all the requests and responses to and from that website by your browser and by recording those responses and requests, we can get a lot of information about the website itself. So what it is is a website reconnaissance and vulnerability scanner. It can actually scan websites to determine what kind of vulnerabilities are out there; CGI vulnerabilities, scripting vulnerabilities and so forth so as a penetration tester, you might want to use this information to determine what kind of things a website is running. In other words, foot print the website and get vulnerability information for the websites. Now, Paros Proxy is a program you download but it is an identical for Windows and Linux. If you download the Windows version, you're basically looking at the Linux version. They're pretty close. The user interfaces are very close so it's basically designed for all platforms; Windows and Linux. Very easy to configure; you must download and install it of course and then you have to configure your proxy settings on the web browser. You have to configure your web browser to go through a proxy server and normally what you'll do is configure it to go through the local host on port 8080. That the default for Paros and that can be changed of course, but you can pretty much use the default settings. What Paros does is intercepts and displays all web requests and responses from your browser to the server and back and forth so you can see what the traffic actually looks like, looks like and how the server is responding. You can also use Paros, as I said, to conduct a vulnerability scan on a website to see what kind of vulnerabilities might be out there that you as a penetration tester can target or you as a security professional need to fix. Let's look at Paros Proxy and see how it works. OK, I've got Paros Proxy open on a Windows box and I don't have any traffic in there yet but let's go to our web browser and create some traffic. OK, let's go and create some traffic for Paros Proxy to look at. Let's actually just go to our VTC.com site. OK, we're at our VTC.com site here and all we've done is gone to the site. Now let's see if we've created some traffic for Paros to look at. OK, let's look in Paros Proxy and see what kind of results we got from our website traffic. Now, we show two websites up here; a Google website and VTC.com where we visited and basically what it did is it intercepted all the traffic that went back and forth, even as we were just onto the main page. So you can see the requests and so forth. You could also trap and block requests and response if you wanted to. Paros Proxy is actually useful in SQL injection, cross-site scripting and so forth in that it allows you to trap response and inject your own in there so unfortunately it can be used for some malicious purposes but from a security perspective, it can show you what vulnerabilities you may have out there on your site. Now it shows us the different directories under the VTC.com site, scripts, modules, templates and so forth and it can also do something very interesting and we can actually go through all this and look and see what the details are but one of the more interesting things it can do is it can scan a particular website. So let's select VTC.com to scan and see what we get. Now we're going to crank up the scan and the scanning can actually take a good long while so we're going to crank it up but we're not going to let it finish. I'm going to go and show you a scan I've already previously run just for this session that's competed and we'll see what vulnerabilities came up just by looking at the website and we can see what kinds of things that the administrator might want to fix and so forth. So let's get the scan started here and it's scanning and again, this can take a little time. It can be very time intensive, even if you've got a large website you're dealing with; especially a website that has a lot of graphics, a lot of different pages and so forth. So let's go ahead and switch to our report that's already complete. Alright, here's the scanning report that we've already generated and we actually got this from the VTC.com website and you can actually look and see the alerts here. We've got risk levels, a number of alerts and fortunately all the alerts with this website are low and basically if there were high or medium ones it would tell us that and it would tell us what actually is wrong with the website. It would tell us that there are vulnerabilities out there that are serious, such as cross-site scripting possibilities, SQL injections, so forth. So actually it's a pretty good job of comprehensively scanning a website. Right now the only real detail on this site that we as an administrator would maybe even need to be concerned about if at all is simply the obsolete or old files, backups that aren't deleted or things like that, older files that we may have saved and replaced with newer files so we've got a lot of those out there and it's a very low, very insignificant vulnerability as far as web vulnerabilities go. We've also got a low warning on obsolete file extended checks; again, a very low warning when compared to other website vulnerabilities. So that's not a bad deal at all with that website and it offers solutions as to what you can do as well to fix those problems. If it found serious problems you would definitely want to pay attention to those and you might want to fix those if you're a website administrator. So that basically is Paros Proxy and there are other proxy servers out there that serve the same function. Paros is actually a little bit older and still works very well on most of the websites that you would scan and the traffic you would intercept, Paros does an excellent job of that. A good security tool and it can help you scan a website for vulnerabilities, it can get foot printing information for you, tell you how the site is laid out and designed and as a security administrator, can tell you what you need to fix on your website. So Paros Proxy there; a really good web-based tool that's really good for your security toolbox.