Security and Cryptography Security Software Engineering Internet/Online Mike Andrews James A. Whittaker Addison-Wesley Professional How to Break Web Software: Functional and Security Testing of Web Applications and Web Services
Paros
Paros has improved significantly in recent history and has an extensive feature set for testing the security of Web servers. Following are just a few of these features:
Local proxy allowing you to be the man in the middle for all requests and responses between your browser and the Web server Spidering Automated scanning engine with HTML reports Proxy configuration for using an upstream proxy if necessary The ability to save all testing results to a session file
You need to get the Paros software from http://www.parosproxy.org and install it. (You must have at least version 1.42 of the Java JRE/JDK installed.) Launch Paros and then set your browser's proxy to localhost:8080.
Paros allows you to see the interaction between your browser and the Web server and change those values as you see fit. This lends itself to exploring flaws in Web applications, including hidden fields that control the price of an item or cookie values that contain obvious authentication information of SQL queries that can be manipulated on the fly.
[View full size image]
After you start casing your target, you will see it appear in the Sites list. Let's set our browser to use localhost on port 8080 (if you have not changed Paros' defaults). Now, we can surf to a sample site and see what Paros does.
After we go to a site in our browser, we will see the server and all the requests that our browser made.
Notice the server in the left-hand window, the Request and Response tabs, and the real-time log of all your requests below. The Request tab shows you the raw data that your browser sent to the server. The Response tab shows you the raw response.
Notice the directory layout that's already emerging from going to three pages. Here we see how the server responded when we requested a JavaScript resource file. These are the types of files that can yield all sorts of interesting data, including developer comments. Or perhaps you can glean something about the internal logic that is somehow flawed. You might also learn that disabling JavaScript in your browser can help you bypass some access control mechanism. Remember: The browser runs JavaScript, so the application has a certain level of trust that the browser will do what is expected.
If the site requires authentication, log in to the application using your Web browser. You can also set credentials for servers in the options if you are going to scan multiple servers at once.
[View full size image]
Paros has both a built-in spider and an automated scanner. Running the spider is a good place to start. The spider follows every link on the site to provide all possible target URLs for the automated scanner. There is some cross-functionality here with Nikto, but the Paros scanner looks for things like default content and directories and injection points in form fields. No automated tool will conduct the testing for you, but the tools will give you hints about where to look for common flaws and mistakes. Sometimes the scanner will find a glaring flaw like IIS Unicode, which requires following a URL to demonstrate. Other times, the tool may only hint at the real problem. Weeding out false positives is part of why it all comes down to you and your most important tool: your brain.
| 
No comments:
Post a Comment