Paros provides a diagnostic proxy

Mark Gibbs' Web site tips, plus network applications news headlines

Web applications have gone from being a novelty to becoming the meat and potatoes of many IT diets. But as we build ever more complex Web applications infrastructures we need new tools to help us understand how the flow of communications really work. We also need to look for security problems because like any other new technology, Web applications present us with new risks.

I just found a terrific tool for tracking Web application traffic and checking Web application integrity: Paros Proxy, published by ProofSecure.com (see editorial links below).

Paros Proxy - or simply "Paros" - is a Java application (JRE 1.4.x) that can not only monitor and capture all HTTP and HTTPS data passing between servers and clients, it can also track cookies and form fields and allows you to modify and resend individual requests. It also supports proxy-chaining, filtering and performs intelligent vulnerability scanning.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Web applications have gone from being a novelty to becoming the meat and potatoes of many IT diets. But as we build ever more complex Web applications infrastructures we need new tools to help us understand how the flow of communications really work. We also need to look for security problems because like any other new technology, Web applications present us with new risks.

I just found a terrific tool for tracking Web application traffic and checking Web application integrity: Paros Proxy, published by ProofSecure.com (see editorial links below).

Paros Proxy - or simply "Paros" - is a Java application (JRE 1.4.x) that can not only monitor and capture all HTTP and HTTPS data passing between servers and clients, it can also track cookies and form fields and allows you to modify and resend individual requests. It also supports proxy-chaining, filtering and performs intelligent vulnerability scanning.

Paros can be assigned to any ports, the defaults being 8080 for HTTP and 8443 for SSL. It is worth noting that because Paros acts as a "man-in-the-middle" and needs to use its own certificate to decrypt the SSL messages, you will get a certificate validity warning shown in your browser. You need to accept the certificate or import it to suppress the warning.

As clients request content via Paros their transactions are tracked. Once that data is logged Paros offers a scanner function to scan the Web site hierarchy (or a part of it) and can look for common server misconfigurations.

Currently, Paros checks for HTTP PUT allowed, directory indexable, if obsolete files exist, if cross-site scripting (XSS) is allowed on the query parameters, default files for the Websphere server and ColdFusion. Paros will exhaustively test throughout the hierarchy which ProofSecure claims is "more accurate" than other vulnerability scanners.

The filter feature can detect and alert you of the occurrence of predefined patterns in HTTP messages. These filters include logging all of the accepted cookies, logging all of the HTTP and HTTPS GET and POST queries sent from the client.

The current version of Paros (v3.1.3) also includes a beta release of a spidering system to crawl Web sites and gather as many URL links as possible. It supports cookies and proxy chaining, but cannot crawl SSL Web sites with invalid certificates, isn't multi-threaded, will have problems with 'malformed' URLs and will not see URLs generated by JavaScript.

When you click on a logged transaction Paros displays it separated into its header and body sections. Right-clicking on the transaction reveals a menu that lets run a security scan on the target URL or re-send the request. Re-sending brings up a new interface that allows you to edit the request and displays the raw results (we would love to see the ability to load the response into a standard browser so that the contents could be seen properly rendered).

This is quite a technical tool and fantastically useful in diagnosis and analysis. It will give you a deep insight into how your Web applications and their clients are communicating.

Paros Proxy is quite a tool. And it is free.

Read more about software in Network World's Software section.

Mark Gibbs is a consultant, author, journalist, columnist and blogger.