Paros Proxy is an open source web assessment tool that gives the user the ability to spider websites, analyze content, modify requests, and much more. This proxy is a necessary tool when performing assessments, penetration testing, code reviews, application deployment reviews, or any other website security tasks. As Paros Proxy is a java-based open source tool the developers have provided the community with executable versions for various operating systems as well as the source code for modifications and development.
Although the usefulness of this tool warrants a write-up, it is not the reason why I decide to talk about this proxy. The reason I have decided to write about this proxy is because during a recent assessment I noticed that I could not get a server response when making HTTP requests through the proxy. At first I thought that it was me or my connection but after I continued my assessment I noticed that other proxy tools (i.e. WebScarab, Achilles) were receiving server responses. Because these other tools could connect I turned my focus to there being a problem with the Paros Proxy.
A little situation background is necessary. The assessment I was working on had me analyzing multiple servers within one company. I initially performed a sweep of the web servers with the Paros Proxy using its site spidering and analysis functionality. Time was more important than stealth during this assessment so I was not concerned about the scans being identified. And, indeed, the amount and type of traffic produced by the proxy was detected by several developers during site maintenance. (They specifically noticed the requests for common backup files.) Word of the web analysis circulated through the company and I didn’t think much about it until I tried to return to a few sites for further analysis. This is where the fun began. I first confirmed that I could still reach the web site in question by browsing to it without a running proxy. Then I tried going to the site through the Paros Proxy but the session timed out. No information was returned at all. It was at this point that I started experimenting with other proxies which worked fine. Basically, I proved that the problem was Paros specific.
Now, during the assessment, I looked through variety of HTTP requests and responses. Each request is accompanied by a USER_AGENT string that identifies the web browser making the request. This allows the web server to create traffic specific to the web browser to which it is responding. Proxies generally do not touch the USER_AGENT field but they do have the capabilities to change this information as it does any other information within the request. The Paros Proxy provides this type of functionality and, as with most other proxies, it has a set of predefined browser strings so that the user can easily manipulate the request to see how the server will respond. Most proxies stop here, however, Paros takes it a step further. In addition to the desired USER_AGENT the Paros Proxy also appends its own application name and version number to each request after it has had any modifications. For example, a normal USER_AGENT string for Mozilla Firefox looks like
whereas the Firefox USER_AGENT used by the Paros Proxy looks like
Now, normally, if a server does not understand a part of the USER_AGENT string it will ignore it. That is the case here with the Paros Proxy. The web servers being assessed did not know the meaning of “Paros/3.2.8″ so it just returned the information requested. Additionally, it was quickly ascertained that the addition of the Paros Proxy name and version were hard coded into the tool and this feature could not be turned on or off with the click of a button.
Of course, nobody likes to be assessed and, if possible, they will attempt to find a way to avoid it. And, at this company, somebody did. A developer apparently noticed the extra string within the USER_AGENT and programmed the web server not to respond to requests through the Paros Proxy. This was easily replicated by using WebScarab and appending “Paros/3.2.8″ to the end of its USER_AGENT string. Success was proved with no response from the web server. Although the developers, and possibly their management, assumed that they were now protected from assessments using this tool they could not have been farther from the truth. Not only were they still susceptible to scans through other proxies, their web sites could still be accessed by the Paros Proxy. This, however, did require a little modification to the tool.
As I stated earlier, the Paros Proxy is a Java based application and the developers have provided the community with their source code. Fortunately for me, one of my colleagues (a Java programmer by trade) suggested that we just download and edit the source so that the USER_AGENT string did not send the extra information. So, in fifteen minutes we had downloaded all of the tools that we needed to program and compile a Java application. With a little searching we located the section of code that modified the USER_AGENT string such that the usual Paros information did not get sent to the server. From here it was just a matter of quickly editing the file, recompiling it, and replacing the original version with the new and improved assessment tool.
The following steps demonstrate this effort:
1. Download the Java SDK from Sun Microsystems.
2. Download ANT from the Apache web site.
3. Download the Paros Proxy source and executable versions from the Paros web site.
4. Install Java
5. Unzip “ant” and move it to C:\Program Files\Apache
6. Unzip the Paros souce files.
7. Edit C:\Documents and Settings\user1\My Documents\downloads\
paros\paros-3.2.8-src\paros\src\org\parosproxy\paros\Constant.java (make backup first).
Comment out the following line and replace it with:
// public static final String USER_AGENT = PROGRAM_NAME + “/” + PROGRAM_VERSION;
public static final String USER_AGENT = “”;
8. Change dir to
C:\Documents and Settings\user1\My Documents\downloads\
paros\paros-3.2.8-src\paros\build
9. Set JAVA_HOME to the java dir: set JAVA_HOME=C:\Program Files\j2sdk1.4.2_10
10. Compile with ant: C:\Program Files\Apache\apache-ant-1.6.5\bin\ant
11. Make backup of paros: move C:\Program Files\Paros\paros.jar to paros.jar_orig
12. Copy C:\Documents and Settings\user1\My Documents\downloads\
paros\paros-3.2.8-src\paros\build\paros\paros.jar to C:\Program Files\Paros\paros.jar
13. Test by running and checking the user agent.
The point that system and network administrators should take away from this effort is that any program can change its behavior patterns. This is one reason that Intrusion Detection professionals try not to base their identification rules solely on information provided within the “Content” part of the network traffic. Developers should also remember that not fixing bad or poorly deployed code cannot be solely protected by try to block detection, assessment, and penetration tools.
Comments and inputs are welcome.
Cutaway