Saturday, August 29, 2009

Paros Proxy and The Prime Directives

When testing web applications for vulnerabilities, it is necessary manipulate the data sent to and received from the server. Paros Proxy is one of the top applications to do this. It allows you to edit HTTP headers, spider websites, create fake client certificates in order to perform man in the middle attacks and it supports the ability to scan for XSS (cross-site scripting) and SQL injection vulnerabilities. Paros Proxy is an open source Java application that will run cross platform and requires minimal configuration to get it up and running.

Open source projects are typically done over long distances. The reason the open source paradigm works and works so well is explained in great detail in Eric Raymond's essay "The Cathedral and the Bazaar" http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ and I highly recommend reading it.

Companies who develop proprietary software have internal methods of measuring the success of their products. In open source we have The Three Prime Directives. The Three Prime Directives of Open Source Software facilitate developer and user communication thus producing more effective applications. This is a useful standard that all open source projects should employ to measure their level of success in the Bazaar.

Prime Directive 1: The system accomplishes a useful task.

Paros Proxy accomplishes its task and goes beyond that. It offers a suite of tools to test the security of your web application that would take many smaller, more specialized tools to replicate. While the amount of features surmounts to a broad range of applicable testing, the specific capabilities of Paros Proxy lack the detailed intricacy that specialized applications are designed for. This is not necessarily a bad thing, as specialized tools should be used solely for their purpose and not fall into a destructive path of feature bloat.

Prime Directive 2: An external user can successfully install and use the system.

Paros Proxy comes ready to run. There is also a PDF that a user can download that explains the setup and how to use the program in layman's terms located on the download page ( http://www.parosproxy.org/download.shtml ). The directory includes an EXE that executes a JAR file on Windows. On Linux, I executed the JAR file directly. When compiling from source all you need to do is run Ant. To test MITM (man in the middle) attacks, I configured Firefox to connect through Paros Proxy on localhost:8080. I went to a few websites and watched HTTP Headers and source code. I was able to edit cookies and change data on the fly with minimal effort. The user interface was simple to use and navigate (see below for screenshot).

Prime Directive 3: An external developer can successfully understand and enhance the system.

Paros Proxy is constructed using the MVC (Model-View-Controller) design pattern. If you understand MVC then it is simple to get involved immediately. If you don't understand the MVC a quick reference to http://java.sun.com/blueprints/patterns/MVC-detailed.html will be of great assistance. The code is not thoroughly commented but methods are labeled in a fashion that is helpful to the developer. One downfall is there is no developer documentation that I could find, so if you want you to get involved, just dive in.

http://sourceforge.net/projects/paros/
http://www.parosproxy.org


0 comments:

Post a Comment