SlideShare uma empresa Scribd logo

PAROS proxy tool

Joseph ...
Joseph ...

PAROS proxy tool - A tool check your web application security

Tecnologia
1 de 18
PAROS proxy tool Table of Contents PAROS Features: ............................................................................................................ 2 I n stal l i n g PAROS............................................................................................................ 2 C o n f i g uri n g Paro s Pro x y ................................................................................................. 5 U si n g PAROS ................................................................................................................. 8 Sp i d er w i th Paro s Pro x y ................................................................................................ 1 2 Sc an n i n g w i th Paro s Pro x y ........................................................................................... 1 4 Sc an n i n g Po l i c y ............................................................................................................ 1 6 C o n c l usi o n .................................................................................................................... 1 8 ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹ 
PAROS proxy tool P A R O S is a p r o g r a m fo r p e o p le w h o n e e d t o e v a lu a t e t h e s e c u r it y o f t h e ir w e b a p p lic a t io n s . I t is fr e e o f c h a r g e a n d c o m p le t e ly w r it t e n in J a v a . T h r o u g h P a r o s 's p r o x y n a tu r e , a ll H T T P a n d H T T P S d a ta b e t w e e n s e r v e r a n d c lie n t , in c lu d in g c o o k ie s a n d fo r m f ie ld s , c a n b e in t e r c e p t e d a n d m o d if ie d . D o w n lo a d P A R O S : h t t p : / / w w w . p a r o s p r o x y . o r g / d o w n lo a d . s h t m l PAROS Features: P a r o s ' p r o x y fe a t u r e is in v a lu a b le f o r in s p e c t in g t r a ffic a s it c o m e s t o a n d fr o m y o u r b r o w s e r . T h is a llo w s y o u t o in v e s t ig a te t h in g s lik e h o w c o o k ie s a r e s e t, r e d ir e c t s b e in g is s u e d t o a b r o w s e r , a n d q u e r ie s s e n t fr o m th e b r o w s e r to t h e s e r v e r . W h ile P a r o s in c lu d e s s o m e a u to m a t e d s c a n n in g t o o ls , t h e s e a r e r a th e r w e a k a n d P a r o s r e a lly s h o w s it s s t r e n g t h in t h e h a n d s o f a s k ille d p e n e t r a t io n te s te r w h o k n o w s w h a t t o lo o k f o r . W e w ill s e e h o w t o u s e a ll th e f e a t u r e s a v a ila b le in P A R O S in t h is d o c u m e n t. I n stal l i n g PAROS E n s u r e J a v a R u n T im e E n v ir o n m e n t ( J R E ) 1 . 4 ( o r a b o v e ) w a s in s t a lle d . O n c e y o u h a v e J a v a R u n T im e E n v ir o n m e n t in s t a lle d y o u s t a r t t h e in s t a lla t io n b y e x e c u t in g t h e in s t a lla t io n f ile y o u d o w n lo a d e d f r o m t h e P a r o s P r o x y w e b s it e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  2
PAROS proxy tool T h e f ir s t s c r e e n o f t h e in s t a lle r is t h e w e lc o m e s c r e e n w h ic h le t s y o u k n o w th a t y o u a r e a b o u t t o i n s t a l l P a r o s P r o x y . C l i c k " Ne x t " t o c o n t i n u e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  3
PAROS proxy tool Y o u h a v e n o w in s t a lle d P a r o s P r o x y . C lic k " F in is h " t o e x it t h e in s t a lle r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  4
PAROS proxy tool C o n f i g uri n g Paro s Pro x y S ta r t th e P A R O S p r o x y t o o l. G o t o T o o ls o p t io n s T h e lo c a l p r o x y s e t t in g s c o n t r o ls w h a t a d d r e s s a n d p o r t it s h o u ld lis t e n o n f o r in c o m in g c o n n e c t io n s . R e m e m b e r t o c o n fig u r e y o u r w e b b r o w s e r t o m a tc h t h e s e s e t t in g s . S o , n o w t h a t P a r o s is r u n n in g le t 's s e t u p o u r b r o w s e r t o u t iliz e P a r o s a s a p r o x y . P a r o s , b y d e fa u lt , lis t e n s o n p o r t 8 0 8 0 fo r p r o x y c o n n e c t io n s . I n t h is e x a m p le w e 'r e g o in g t o c o n f ig u r e F ir e f o x 3 t o u t iliz e P a r o s a s a p r o x y . T o d o t h is w e g o t o t h e 'T o o ls ' m e n u a n d s e le c t 'O p t io n s ' . Ne x t y o u w a n t to c lic k o n t h e 'A d v a n c e d ' ic o n a n d s e le c t th e ' Ne t w o r k ' t a b : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  5
PAROS proxy tool No w c l i c k o n t h e ' S e t t i n g s ' b u t t o n i n t h e ' C o n n e c t i o n ' f r a m e . T h i s w i l l b r i n g u p a n e w w in d o w t it le d 'C o n n e c t io n S e t t in g s '. Y o u w a n t t o s e le c t 'M a n u a l p r o x y c o n f ig u r a t io n ' a n d s e t y o u r p r o x y t o 'lo c a lh o s t ' o n p o r t 8 0 8 0 : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  6
PAROS proxy tool C l i c k ' O K ' t o c l o s e a l l t h e w i n d o w s . No w y o u ' l l n o t i c e t h a t w h e n e v e r y o u b r o w s P a r o s ' b la n k in t e r f a c e w ill b e g in t o f ill u p w it h in f o r m a t io n . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  7
PAROS proxy tool U si n g PAROS T h e m a in in t e r fa c e is d iv id e d in t o 3 s e c t io n s 1 . O n th e t o p -l e f t y o u h a v e t h e s i t e s / d i r e c t o r y / p a g e t r e e v i e w . A s y o u b r o w s e p a g e s y o u w ill n o t ic e t h a t m o r e a n d m o r e it e m s a r e a d d e d t o t h is s e c t io n . 2 . O n th e t o p -r i g h t y o u h a v e t h e s e c t i o n t h a t a l l o w s y o u t o i n s p e c t , in t e r c e p t a n d m o d ify t h e s e n t a n d r e c e iv e d d a t a . 3 . O n th e b o t t o m y o u h a v e t h e r e q u e s t / r e s p o n s e h is t o r y o f a n y r e q u e s t b e in g m a d e w h ile u s in g P a r o s . P le a s e n o t e t h a t b y d e f a u lt im a g e r e q u e s t s a r e n o t b e in g d is p la y e d in t h e h is t o r y v ie w . I t a ls o c o n t a in t h e S p id e r r e s u lt s , a n y a le r t s f r o m v a r io u s f ilt e r s a n d f in a lly t h e o u t p u t o f t h e a le r t e d p a g e . No w a c c e s s y o u r w e b s it e ( w h ic h y o u w a n t t o t e s t ) ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  8
PAROS proxy tool W h e n y o u w a n t t o in t e r c e p t r e q u e s t s y o u ju s t g o t o t h e " T r a p " t a b a n d c h e c k t h e " T r a p r e q u e s t " c h e c k b o x ( a n d if y o u w a n t t o in t e r c e p t r e s p o n s e s f r o m t h e s e r v e r y o u c h e c k th e " T r a p r e s p o n s e " c h e c k b o x ) . G E T r e q u e s t s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r f a c e , w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o t h e r d a t a a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . P O S T r e q u e s t s a r e d is p la y e d in b o t h th e h e a d e r a n d t h e b o d y s e c t io n o f t h e in t e r fa c e , b o th w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o th e r d a ta a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . C o o k ie s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r fa c e , w h ic h is m o d if ia b le . J u s t m o d ify th e c o o k ie d e t a ils a n d c lic k " C o n t in u e " t o s e n d th e m o d ifie d r e q u e s t t o t h e s e r v e r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  9
PAROS proxy tool L e t ' s s a y I w a n t t o r e -s u b m i t t h e f o r m b u t t r y s o m e o t h e r v a l u e s . T o d o t h is I d o n 't e v e n n e e d t o le a v e P a r o s . I c a n s im p ly r ig h t c lic k t h e r o w in t h e b o t t o m fr a m e a n d s e le c t 'R e s e n d ': ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 0
PAROS proxy tool S e le c t in g t h is o p t io n b r in g s u p a n e w b o x t h a t s u m m a r iz e s a ll t h e d a t a th a t is g o in g to b e s e n t o n t h e f o r m s u b m is s io n . T h e n ic e th in g a b o u t t h is s u m m a r y d a ta is t h a t it c a n b e m a n ip u la t e d b e f o r e w e s e n d it . C h a n g e th e p a r a m e t e r s y o u w a n t t o te s t a n d s e n d t h e r e q u e s t . Y o u 'll n o t ic e th a t t h e p o p u p w in d o w s w it c h e s o v e r to t h e 'R e s p o n s e ' t a b w h ic h in c lu d e s n o t o n ly t h e h e a d e r d a t a fr o m th e fo r m r e q u e s t , b u t a ls o t h e H T M L t h a t y o u g e t b a c k . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 1
PAROS proxy tool U s in g P a r o s w e c a n e x a m in e c o o k ie s , f o r m f ie ld s a n d o t h e r d a t a , a n d m o d ify t h a t d a ta o n t h e fly a n d r e s u b m it it . T h is is w o n d e r f u l f o r d o in g t h in g s lik e t e s t in g f o r X S S o r S Q L in j e c t io n v u ln e r a b ilit ie s in h a r d t o r e a c h a r e a s o f H T T P c o m m u n ic a t io n s lik e c o o k ie s o r H T T P h e a d e r s . Sp i d er w i th Paro s Pro x y S p id e r is u s e d to c r a w l t h e w e b s it e s a n d g a t h e r a s m a n y U R L lin k s a s p o s s ib le . T h is a llo w s y o u t o h a v e a b e t t e r u n d e r s t a n d in g o f t h e w e b s it e h ie r a r c h y t r e e in a s h o r t t im e b e fo r e m a n u a l n a v ig a t io n . C u r r e n t ly , t h e " S p id e r " f u n c t io n is in b e t a v e r s io n . I t s fu n c t io n a lit ie s in c lu d e : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 2
PAROS proxy tool • C r a w l H T T P a n d H T T P S w e b s it e s b a s e d o n g iv e n U R L , e .g . h t tp : / / w w w .e x a m p le . c o m o r h t t p s : / / w w w . e x a m p le . c o m • S u p p o r t c o o k ie • S u p p o r t p r o x y c h a in in g , w h ic h is s e t a t t h e < P r o x y C h a in > f ie ld in O p t io n t a b ( b u t s e t t in g t h e < S k ip > fie ld h a s n o t e ff e c t o n t h e s p id e r ) • A u to m a t ic a lly a d d U R L lin k s t o t h e w e b s it e h ie r a r c h y t r e e f o r la t e r s c a n n in g . A s it is j u s t a s im p le s p id e r , it h a s t h e f o llo w in g lim it a t io n s : • S S L w e b s it e s w it h in v a lid c e r t if ic a t e c a n n o t b e c r a w le d • M u t i− t h r e a d in g n o t s u p p o r t e d • S o m e ‘m a lf o r m e d ’ U R L s in H T M L p a g e s c a n n o t b e r e c o g n iz e d A ls o , U R L s g e n e r a t e d b y J a v a s c r ip t c a n n o t b e f o u n d u s in g t h is s p id e r . T h o s e U R L s , h o w e v e r , c a n b e f o u n d a n d a d d e d t o t h e h ie r a r c h y t r e e t h r o u g h m a n u a l n a v ig a t io n . F ir s t s e le c t t h e s it e fr o m th e le f t p a n e l ( s it e s ) [ s it e s h o u ld a lr e a d y b r o w s e d fr o m b r o w s e r ] G o t o A n a ly s e s p id e r ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 3
PAROS proxy tool Sc an n i n g w i th Paro s Pro x y T h e s c a n n e r f u n c t io n is t o s c a n th e s e r v e r b a s e d o n t h e w e b s it e h ie r a r c h y ( t h e tr e e o n t h e le ft p a n e l) . I t c a n c h e c k if t h e r e is a n y s e r v e r m is c o n fig u r a t io n . A u t o m a t ic w e b s c a n n e r m a y n o t b e a b le t o f in d o u t th e p a t h s a n d c h e c k if t h e r e e x is t s a n y b a c k u p f ile s ( . b a k ) w h ic h c o u ld e x p o s e s e r v e r in fo r m a t io n . I n o r d e r to u s e th is fu n c t io n , y o u n e e d t o n a v ig a te t h e w e b s it e fir s t . A fte r y o u lo g o n a w e b s it e a n d n a v ig a t e it , a w e b s it e h ie r a r c h y tr e e w ill b e b u ilt b y P a r o s a u to m a t ic a lly . T h e n y o u c a n d o t h e fo llo w in g t h in g s : • I f y o u w a n t t o s c a n a ll w e b s it e s o n t h e t r e e , y o u c a n th e n c lic k o n th e m e n u it e m " T r e e " → " S c a n A ll" t o t r ig g e r t h e s c a n n in g . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 4
PAROS proxy tool • I f y o u j u s t w a n t t o s c a n o n e w e b s it e o n t h e t r e e , y o u c a n c lic k o n t h a t s it e in t h e t r e e p a n e l a n d c l i c k m e n u i t e m " T r e e " → " S c a n s e l e c t e d No d e " ( Y o u c a n a ls o r ig h t − c lic k o n t h e t r e e v ie w a n d c h o o s e t h e o p t io n s ) . C u r r e n t ly , P a r o s h a s t h e f o llo w in g c h e c k s : • H T T P P U T a llo w e d − c h e c k if t h e P U T o p t io n is e n a b le d a t s e r v e r d ir e c t o r ie s • D ir e c t o r y in d e x a b le − c h e c k if th e s e r v e r d ir e c t o r ie s c a n b e b r o w s a b le . • O b s o le t e f ile s e x is t e d − c h e c k if t h e r e e x is t s o b s o le t e f ile s a t • C r o s s − s it e s c r ip t in g − c h e c k if c r o s s − s it e s c r ip t in g ( X S S ) is a llo w e d o n th e q u e r y p a r a m e t e r s • D e fa u lt file s o n w e b s p h e r e s e r v e r – c h e c k if d e f a u lt f ile s e x is t e d o n w e b s p h e r e s e r v e r No t e t h a t a l l t h e a b o v e c h e c k s a r e b a s e d o n t h e U R L s i n t h e w e b s i t e h ie r a r c h y . T h a t m e a n s t h e s c a n n e r w ill c h e c k e a c h U R L f o r e a c h v u ln e r a b ilit y . P a r o s c a n a ls o s a v e a n d r e lo a d s e s s io n s . T h is is a g r e a t t o o l if y o u n e e d t o d o e x p lo r a t io n a t o n e p o in t t h e n la t e r d o a n a ly s is , o r if y o u w a n t t o c o m p a r e t w o s c a n ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 5
PAROS proxy tool s e s s io n s . P a r o s a ls o a llo w s y o u t o s a v e a ll t h e r e p o r t s it p r o d u c e s fo r la t e r e x a m in a t io n o r in c lu s io n in a b r o a d e r a n a ly s is r e p o r t . Sc an n i n g Po l i c y I nfor m ati on g ath er i ng " O b s o le t e f ile " lo o k s fo r b a c k u p c o p ie s o f k n o w n f ile s o f t h e s e r v e r . " P r iv a t e I P d is c lo s u r e " lo o k s f o r r e f e r e n c e s t o in t e r n a l I P a d d r e s s e s w it h in t h e p a g e s a s w e ll a s in e r r o r m e s s a g e s . " S e s s io n I D in U R L r e w r it e " " O b s o le t e f ile e x t e n d e d c h e c k " Cli ent br ow ser " P a s s w o r d A u t o c o m p le t e in b r o w s e r " lo o k s fo r p a s s w o r d f ie ld s w h ic h a llo w s t h e m to b e s a v e d in t h e b r o w s e r . " S e c u r e p a g e b r o w s e r c a c h e " lo o k s f o r s e c u r e ( h t t p s ) p a g e s w h ic h a llo w s t h e m s e lv e s t o b e s t o r e d in t h e b r o w s e r c a c h e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 6
PAROS proxy tool S er v er sec u r i ty " D ir e c t o r y b r o w s in g " lo o k s f o r d ir e c t o r ie s w h ic h d is c lo s e s t h e f ile s in s id e it . " I I S d e f a u lt f ile " lo o k s f o r d e f a u lt I I S ( I n t e r n e t I n f o r m a t io n S e r v ic e ) f ile s . " C o ld F u s io n d e f a u lt f ile " lo o k s f o r d e f a u lt C o ld F u s io n f ile s . " M a c r o m e d ia J R u n d e f a u lt f ile s " lo o k s f o r d e f a u lt M a c r o m e d ia J R u n f ile s . " T o m c a t s o u r c e f ile d is c lo s u r e " " B E A W e b L o g ic e x a m p le f ile s " lo o k s f o r d e f a u lt B E A W e b L o g ic f ile s . " I B M W e b S p h e r e d e f a u lt f ile s " lo o k s f o r d e f a u lt I B M W e b S p h e r e f ile s . " L o t u s D o m in o d e f a u lt f ile s " lo o k s f o r d e f a u lt L o t u s D o m in o f ile s . M i sc ellaneou s T h e r e a r e n o s e t t in g s u n d e r t h is t a b . . . I nj ec ti on " S Q L I n j e c t io n F in g e r p r in t in g " s e n d s c o m m o n S Q L in j e c t io n s t r in g s in t o in p u t f ie ld s a n d lo o k s f o r r e s p o n s e s t h a t m a t c h S Q L e r r o r m e s s a g e s . " C R L F in je c t io n " " S e r v e r s id e in c lu d e " " C r o s s s it e s c r ip t in g " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e . " C r o s s s it e s c r ip t in g w it h o u t b r a c k e t s " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e , e x c e p t it d o e s n 't in j e c t t h e " < " a n d " > " b r a c k e t s in t h e t e s t s t r in g s . " P a r a m e t e r t a m p e r in g " " S Q L I n j e c t io n " " M S S Q L I n je c t io n E n u m e r a t io n " ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 7
PAROS proxy tool C o n c l usi o n P a r o s is a w o n d e r f u l t o o l a n d s h o u ld d e f in it e ly b e f a m ilia r t o a n y w e b a p p lic a t io n s e c u r it y p r o fe s s io n a l. H o w e v e r , P a r o s c a p a b ilit ie s e x t e n d b e y o n d s e c u r it y a n d a r g u e f o r it 's u s e b y w e b d e v e lo p e r s a s w e ll. P a r o s c a n e a s ily m a n g le r e q u e s t s , b u t it a ls o d o e s a w o n d e r f u l j o b o f in s p e c t in g H T T P t r a f f ic a n d id e n t if y in g p r o b le m s . P a r o s is a n e x c e lle n t t o o l fo r t r a c k in g d o w n t h e c a u s e o f a w e b s e r v e r in f in it e r e d ir e c t lo o p , o r a c o o k ie m is c o n f ig u r a t io n , o r o t h e r e lu s iv e p r o b le m t h a t c a n d r iv e y o u m a d if y o u 'r e o n ly a r m e d w it h a w e b b r o w s e r . O f c o u r s e , t h e s a m e e a s e w it h w h ic h P a r o s c a n e x a m in e a n d m a n ip u la t e le g it im a t e t r a f f ic a llo w s p e n e t r a t io n t e s t e r s t o u s e P a r o s t o m a n ip u la t e tr a f f ic in m a lic io u s w a y s . P a r o s is a g r e a t t o o l f o r b lin d p e n e t r a t io n t e s t in g o r d e v e lo p in g p r o o f o f c o n c e p t w e b a p p lic a t io n e x p lo it s . P a r o s ' c r o s s p la t fo r m n a tu r e a ls o a r g u e s f o r it s v a lu e . L e a r n in g t o u s e P a r o s d o e s n 't t ie y o u to a n y p a r t ic u la r o p e r a t in g s y s te m o r p la t f o r m . P a r o s c a n b e u s e d in c o n ju n c t io n w it h a n y b r o w s e r , a n d w o r k s g r e a t a lo n g w it h F ir e f o x a n d p lu g in s lik e T a m p e r D a ta o r w e b d e v e lo p e r .O v e r a ll I fin d P a r o s is o n e o f t h o s e e a s y t o o ls I r e a c h fo r m o r e o ft e n o v e r t im e a n d I t h in k it w o u ld m a k e a v a lu a b le a d d it io n t o a n y w e b d e v e lo p e r o r a p p lic a t io n te s t e r s a r s e n a l. ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 8

Recomendados

Cacti presentation
Cacti presentationCacti presentation
Cacti presentationDidiet A. Pambudiono
 
使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務升煌 黃
 
如何設定不給上網(Http+https),但讓line和skype可以使用?
如何設定不給上網(Http+https),但讓line和skype可以使用?如何設定不給上網(Http+https),但讓line和skype可以使用?
如何設定不給上網(Http+https),但讓line和skype可以使用?sharetech
 
Introduction to Django REST Framework, an easy way to build REST framework in...
Introduction to Django REST Framework, an easy way to build REST framework in...Introduction to Django REST Framework, an easy way to build REST framework in...
Introduction to Django REST Framework, an easy way to build REST framework in...Zhe Li
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Phing - A PHP Build Tool (An Introduction)
Phing - A PHP Build Tool (An Introduction)Phing - A PHP Build Tool (An Introduction)
Phing - A PHP Build Tool (An Introduction)Michiel Rook
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 

Recomendados

Cacti presentation
Cacti presentationCacti presentation
Cacti presentationDidiet A. Pambudiono
 
使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務升煌 黃
 
如何設定不給上網(Http+https),但讓line和skype可以使用?
如何設定不給上網(Http+https),但讓line和skype可以使用?如何設定不給上網(Http+https),但讓line和skype可以使用?
如何設定不給上網(Http+https),但讓line和skype可以使用?sharetech
 
Introduction to Django REST Framework, an easy way to build REST framework in...
Introduction to Django REST Framework, an easy way to build REST framework in...Introduction to Django REST Framework, an easy way to build REST framework in...
Introduction to Django REST Framework, an easy way to build REST framework in...Zhe Li
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Phing - A PHP Build Tool (An Introduction)
Phing - A PHP Build Tool (An Introduction)Phing - A PHP Build Tool (An Introduction)
Phing - A PHP Build Tool (An Introduction)Michiel Rook
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
CEHv9 : module 10 - session hijacking
CEHv9 : module 10 - session hijackingCEHv9 : module 10 - session hijacking
CEHv9 : module 10 - session hijackingteknetir
 
Restful api
Restful apiRestful api
Restful apiAnurag Srivastava
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army ToolChandrapal Badshah
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
DPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukDPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukIntel
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX, Inc.
 
Building and deploying PHP applications with Phing
Building and deploying PHP applications with PhingBuilding and deploying PHP applications with Phing
Building and deploying PHP applications with PhingMichiel Rook
 
Burp suite
Burp suiteBurp suite
Burp suiteYashar Shahinzadeh
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST APIAniruddh Bhilvare
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-WiresharkHarsh Singh
 
An Introduction to Windows PowerShell
An Introduction to Windows PowerShellAn Introduction to Windows PowerShell
An Introduction to Windows PowerShellDale Lane
 
How to Get Started With NGINX
How to Get Started With NGINXHow to Get Started With NGINX
How to Get Started With NGINXNGINX, Inc.
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaPrajal Kulkarni
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring BootPurbarun Chakrabarti
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Neguinho Suárez
 
Experiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9AExperiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9Auser1234
 

Mais conteúdo relacionado

Mais procurados

CEHv9 : module 10 - session hijacking
CEHv9 : module 10 - session hijackingCEHv9 : module 10 - session hijacking
CEHv9 : module 10 - session hijackingteknetir
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 
DPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukDPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukIntel
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX, Inc.
 
Building and deploying PHP applications with Phing
Building and deploying PHP applications with PhingBuilding and deploying PHP applications with Phing
Building and deploying PHP applications with PhingMichiel Rook
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-WiresharkHarsh Singh
 
An Introduction to Windows PowerShell
An Introduction to Windows PowerShellAn Introduction to Windows PowerShell
An Introduction to Windows PowerShellDale Lane
 
How to Get Started With NGINX
How to Get Started With NGINXHow to Get Started With NGINX
How to Get Started With NGINXNGINX, Inc.
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaPrajal Kulkarni
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 

Mais procurados (20)

CEHv9 : module 10 - session hijacking
CEHv9 : module 10 - session hijackingCEHv9 : module 10 - session hijacking
CEHv9 : module 10 - session hijacking
 
Restful api
Restful apiRestful api
Restful api
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
DPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukDPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii Tkachuk
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
 
Building and deploying PHP applications with Phing
Building and deploying PHP applications with PhingBuilding and deploying PHP applications with Phing
Building and deploying PHP applications with Phing
 
Burp suite
Burp suiteBurp suite
Burp suite
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
 
TCPdump-Wireshark
TCPdump-WiresharkTCPdump-Wireshark
TCPdump-Wireshark
 
An Introduction to Windows PowerShell
An Introduction to Windows PowerShellAn Introduction to Windows PowerShell
An Introduction to Windows PowerShell
 
How to Get Started With NGINX
How to Get Started With NGINXHow to Get Started With NGINX
How to Get Started With NGINX
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and Kibana
 
Introduction to Spring Boot
Introduction to Spring BootIntroduction to Spring Boot
Introduction to Spring Boot
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 

Destaque

Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Neguinho Suárez
 
Experiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9AExperiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9Auser1234
 
Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)FRANCISCO PAVON RABASCO
 
eTwinning Calendar 2012
eTwinning Calendar 2012eTwinning Calendar 2012
eTwinning Calendar 2012user1234
 
Portuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, PortugalPortuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, Portugaluser1234
 
La higiene en la preparació dels aliments
La higiene en la preparació dels alimentsLa higiene en la preparació dels aliments
La higiene en la preparació dels alimentscguiu2
 
Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016Laura Hampton
 
Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?AS Media Column D
 
Trabajo de miki y èdro
Trabajo de miki y èdroTrabajo de miki y èdro
Trabajo de miki y èdroaggono
 
Clase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográficaClase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográficaUniversidad Libre
 

Destaque (15)

Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01Nb688 alc san reglam rt 01
Nb688 alc san reglam rt 01
 
Experiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9AExperiences, by Diana Nog. & Vanda, 9A
Experiences, by Diana Nog. & Vanda, 9A
 
Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)Invitación 16 ideas para vivir de manera 16 (1)
Invitación 16 ideas para vivir de manera 16 (1)
 
eTwinning Calendar 2012
eTwinning Calendar 2012eTwinning Calendar 2012
eTwinning Calendar 2012
 
Portuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, PortugalPortuguese team from EB São Domingos, Covilhã, Portugal
Portuguese team from EB São Domingos, Covilhã, Portugal
 
La higiene en la preparació dels aliments
La higiene en la preparació dels alimentsLa higiene en la preparació dels aliments
La higiene en la preparació dels aliments
 
Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016Skydive Langar Christmas Party and Awards 2016
Skydive Langar Christmas Party and Awards 2016
 
My Audience Profile
My Audience ProfileMy Audience Profile
My Audience Profile
 
Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?Where is Indie Pop in the Charts?
Where is Indie Pop in the Charts?
 
Processor grafxtron
Processor grafxtronProcessor grafxtron
Processor grafxtron
 
Clase 3. alcantarillado sanitario
Clase 3. alcantarillado sanitarioClase 3. alcantarillado sanitario
Clase 3. alcantarillado sanitario
 
Trabajo de miki y èdro
Trabajo de miki y èdroTrabajo de miki y èdro
Trabajo de miki y èdro
 
El proceso de redaccion
El proceso de redaccionEl proceso de redaccion
El proceso de redaccion
 
Lectura de planos2
Lectura de planos2Lectura de planos2
Lectura de planos2
 
Clase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográficaClase 7. la cuenca hidrográfica
Clase 7. la cuenca hidrográfica
 

PAROS proxy tool

  • 1. PAROS proxy tool Table of Contents PAROS Features: ............................................................................................................ 2 I n stal l i n g PAROS............................................................................................................ 2 C o n f i g uri n g Paro s Pro x y ................................................................................................. 5 U si n g PAROS ................................................................................................................. 8 Sp i d er w i th Paro s Pro x y ................................................................................................ 1 2 Sc an n i n g w i th Paro s Pro x y ........................................................................................... 1 4 Sc an n i n g Po l i c y ............................................................................................................ 1 6 C o n c l usi o n .................................................................................................................... 1 8 ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹ 
  • 2. PAROS proxy tool P A R O S is a p r o g r a m fo r p e o p le w h o n e e d t o e v a lu a t e t h e s e c u r it y o f t h e ir w e b a p p lic a t io n s . I t is fr e e o f c h a r g e a n d c o m p le t e ly w r it t e n in J a v a . T h r o u g h P a r o s 's p r o x y n a tu r e , a ll H T T P a n d H T T P S d a ta b e t w e e n s e r v e r a n d c lie n t , in c lu d in g c o o k ie s a n d fo r m f ie ld s , c a n b e in t e r c e p t e d a n d m o d if ie d . D o w n lo a d P A R O S : h t t p : / / w w w . p a r o s p r o x y . o r g / d o w n lo a d . s h t m l PAROS Features: P a r o s ' p r o x y fe a t u r e is in v a lu a b le f o r in s p e c t in g t r a ffic a s it c o m e s t o a n d fr o m y o u r b r o w s e r . T h is a llo w s y o u t o in v e s t ig a te t h in g s lik e h o w c o o k ie s a r e s e t, r e d ir e c t s b e in g is s u e d t o a b r o w s e r , a n d q u e r ie s s e n t fr o m th e b r o w s e r to t h e s e r v e r . W h ile P a r o s in c lu d e s s o m e a u to m a t e d s c a n n in g t o o ls , t h e s e a r e r a th e r w e a k a n d P a r o s r e a lly s h o w s it s s t r e n g t h in t h e h a n d s o f a s k ille d p e n e t r a t io n te s te r w h o k n o w s w h a t t o lo o k f o r . W e w ill s e e h o w t o u s e a ll th e f e a t u r e s a v a ila b le in P A R O S in t h is d o c u m e n t. I n stal l i n g PAROS E n s u r e J a v a R u n T im e E n v ir o n m e n t ( J R E ) 1 . 4 ( o r a b o v e ) w a s in s t a lle d . O n c e y o u h a v e J a v a R u n T im e E n v ir o n m e n t in s t a lle d y o u s t a r t t h e in s t a lla t io n b y e x e c u t in g t h e in s t a lla t io n f ile y o u d o w n lo a d e d f r o m t h e P a r o s P r o x y w e b s it e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  2
  • 3. PAROS proxy tool T h e f ir s t s c r e e n o f t h e in s t a lle r is t h e w e lc o m e s c r e e n w h ic h le t s y o u k n o w th a t y o u a r e a b o u t t o i n s t a l l P a r o s P r o x y . C l i c k " Ne x t " t o c o n t i n u e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  3
  • 4. PAROS proxy tool Y o u h a v e n o w in s t a lle d P a r o s P r o x y . C lic k " F in is h " t o e x it t h e in s t a lle r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  4
  • 5. PAROS proxy tool C o n f i g uri n g Paro s Pro x y S ta r t th e P A R O S p r o x y t o o l. G o t o T o o ls o p t io n s T h e lo c a l p r o x y s e t t in g s c o n t r o ls w h a t a d d r e s s a n d p o r t it s h o u ld lis t e n o n f o r in c o m in g c o n n e c t io n s . R e m e m b e r t o c o n fig u r e y o u r w e b b r o w s e r t o m a tc h t h e s e s e t t in g s . S o , n o w t h a t P a r o s is r u n n in g le t 's s e t u p o u r b r o w s e r t o u t iliz e P a r o s a s a p r o x y . P a r o s , b y d e fa u lt , lis t e n s o n p o r t 8 0 8 0 fo r p r o x y c o n n e c t io n s . I n t h is e x a m p le w e 'r e g o in g t o c o n f ig u r e F ir e f o x 3 t o u t iliz e P a r o s a s a p r o x y . T o d o t h is w e g o t o t h e 'T o o ls ' m e n u a n d s e le c t 'O p t io n s ' . Ne x t y o u w a n t to c lic k o n t h e 'A d v a n c e d ' ic o n a n d s e le c t th e ' Ne t w o r k ' t a b : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  5
  • 6. PAROS proxy tool No w c l i c k o n t h e ' S e t t i n g s ' b u t t o n i n t h e ' C o n n e c t i o n ' f r a m e . T h i s w i l l b r i n g u p a n e w w in d o w t it le d 'C o n n e c t io n S e t t in g s '. Y o u w a n t t o s e le c t 'M a n u a l p r o x y c o n f ig u r a t io n ' a n d s e t y o u r p r o x y t o 'lo c a lh o s t ' o n p o r t 8 0 8 0 : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  6
  • 7. PAROS proxy tool C l i c k ' O K ' t o c l o s e a l l t h e w i n d o w s . No w y o u ' l l n o t i c e t h a t w h e n e v e r y o u b r o w s P a r o s ' b la n k in t e r f a c e w ill b e g in t o f ill u p w it h in f o r m a t io n . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  7
  • 8. PAROS proxy tool U si n g PAROS T h e m a in in t e r fa c e is d iv id e d in t o 3 s e c t io n s 1 . O n th e t o p -l e f t y o u h a v e t h e s i t e s / d i r e c t o r y / p a g e t r e e v i e w . A s y o u b r o w s e p a g e s y o u w ill n o t ic e t h a t m o r e a n d m o r e it e m s a r e a d d e d t o t h is s e c t io n . 2 . O n th e t o p -r i g h t y o u h a v e t h e s e c t i o n t h a t a l l o w s y o u t o i n s p e c t , in t e r c e p t a n d m o d ify t h e s e n t a n d r e c e iv e d d a t a . 3 . O n th e b o t t o m y o u h a v e t h e r e q u e s t / r e s p o n s e h is t o r y o f a n y r e q u e s t b e in g m a d e w h ile u s in g P a r o s . P le a s e n o t e t h a t b y d e f a u lt im a g e r e q u e s t s a r e n o t b e in g d is p la y e d in t h e h is t o r y v ie w . I t a ls o c o n t a in t h e S p id e r r e s u lt s , a n y a le r t s f r o m v a r io u s f ilt e r s a n d f in a lly t h e o u t p u t o f t h e a le r t e d p a g e . No w a c c e s s y o u r w e b s it e ( w h ic h y o u w a n t t o t e s t ) ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  8
  • 9. PAROS proxy tool W h e n y o u w a n t t o in t e r c e p t r e q u e s t s y o u ju s t g o t o t h e " T r a p " t a b a n d c h e c k t h e " T r a p r e q u e s t " c h e c k b o x ( a n d if y o u w a n t t o in t e r c e p t r e s p o n s e s f r o m t h e s e r v e r y o u c h e c k th e " T r a p r e s p o n s e " c h e c k b o x ) . G E T r e q u e s t s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r f a c e , w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o t h e r d a t a a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . P O S T r e q u e s t s a r e d is p la y e d in b o t h th e h e a d e r a n d t h e b o d y s e c t io n o f t h e in t e r fa c e , b o th w h ic h is m o d if ia b le . J u s t m o d if y t h e r e q u e s t p a r a m e t e r s o r o th e r d a ta a n d c lic k " C o n t in u e " t o s e n d t h e m o d if ie d r e q u e s t t o t h e s e r v e r . C o o k ie s a r e d is p la y e d in t h e h e a d e r s e c t io n o f t h e in t e r fa c e , w h ic h is m o d if ia b le . J u s t m o d ify th e c o o k ie d e t a ils a n d c lic k " C o n t in u e " t o s e n d th e m o d ifie d r e q u e s t t o t h e s e r v e r . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  9
  • 10. PAROS proxy tool L e t ' s s a y I w a n t t o r e -s u b m i t t h e f o r m b u t t r y s o m e o t h e r v a l u e s . T o d o t h is I d o n 't e v e n n e e d t o le a v e P a r o s . I c a n s im p ly r ig h t c lic k t h e r o w in t h e b o t t o m fr a m e a n d s e le c t 'R e s e n d ': ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 0
  • 11. PAROS proxy tool S e le c t in g t h is o p t io n b r in g s u p a n e w b o x t h a t s u m m a r iz e s a ll t h e d a t a th a t is g o in g to b e s e n t o n t h e f o r m s u b m is s io n . T h e n ic e th in g a b o u t t h is s u m m a r y d a ta is t h a t it c a n b e m a n ip u la t e d b e f o r e w e s e n d it . C h a n g e th e p a r a m e t e r s y o u w a n t t o te s t a n d s e n d t h e r e q u e s t . Y o u 'll n o t ic e th a t t h e p o p u p w in d o w s w it c h e s o v e r to t h e 'R e s p o n s e ' t a b w h ic h in c lu d e s n o t o n ly t h e h e a d e r d a t a fr o m th e fo r m r e q u e s t , b u t a ls o t h e H T M L t h a t y o u g e t b a c k . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 1
  • 12. PAROS proxy tool U s in g P a r o s w e c a n e x a m in e c o o k ie s , f o r m f ie ld s a n d o t h e r d a t a , a n d m o d ify t h a t d a ta o n t h e fly a n d r e s u b m it it . T h is is w o n d e r f u l f o r d o in g t h in g s lik e t e s t in g f o r X S S o r S Q L in j e c t io n v u ln e r a b ilit ie s in h a r d t o r e a c h a r e a s o f H T T P c o m m u n ic a t io n s lik e c o o k ie s o r H T T P h e a d e r s . Sp i d er w i th Paro s Pro x y S p id e r is u s e d to c r a w l t h e w e b s it e s a n d g a t h e r a s m a n y U R L lin k s a s p o s s ib le . T h is a llo w s y o u t o h a v e a b e t t e r u n d e r s t a n d in g o f t h e w e b s it e h ie r a r c h y t r e e in a s h o r t t im e b e fo r e m a n u a l n a v ig a t io n . C u r r e n t ly , t h e " S p id e r " f u n c t io n is in b e t a v e r s io n . I t s fu n c t io n a lit ie s in c lu d e : ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 2
  • 13. PAROS proxy tool • C r a w l H T T P a n d H T T P S w e b s it e s b a s e d o n g iv e n U R L , e .g . h t tp : / / w w w .e x a m p le . c o m o r h t t p s : / / w w w . e x a m p le . c o m • S u p p o r t c o o k ie • S u p p o r t p r o x y c h a in in g , w h ic h is s e t a t t h e < P r o x y C h a in > f ie ld in O p t io n t a b ( b u t s e t t in g t h e < S k ip > fie ld h a s n o t e ff e c t o n t h e s p id e r ) • A u to m a t ic a lly a d d U R L lin k s t o t h e w e b s it e h ie r a r c h y t r e e f o r la t e r s c a n n in g . A s it is j u s t a s im p le s p id e r , it h a s t h e f o llo w in g lim it a t io n s : • S S L w e b s it e s w it h in v a lid c e r t if ic a t e c a n n o t b e c r a w le d • M u t i− t h r e a d in g n o t s u p p o r t e d • S o m e ‘m a lf o r m e d ’ U R L s in H T M L p a g e s c a n n o t b e r e c o g n iz e d A ls o , U R L s g e n e r a t e d b y J a v a s c r ip t c a n n o t b e f o u n d u s in g t h is s p id e r . T h o s e U R L s , h o w e v e r , c a n b e f o u n d a n d a d d e d t o t h e h ie r a r c h y t r e e t h r o u g h m a n u a l n a v ig a t io n . F ir s t s e le c t t h e s it e fr o m th e le f t p a n e l ( s it e s ) [ s it e s h o u ld a lr e a d y b r o w s e d fr o m b r o w s e r ] G o t o A n a ly s e s p id e r ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 3
  • 14. PAROS proxy tool Sc an n i n g w i th Paro s Pro x y T h e s c a n n e r f u n c t io n is t o s c a n th e s e r v e r b a s e d o n t h e w e b s it e h ie r a r c h y ( t h e tr e e o n t h e le ft p a n e l) . I t c a n c h e c k if t h e r e is a n y s e r v e r m is c o n fig u r a t io n . A u t o m a t ic w e b s c a n n e r m a y n o t b e a b le t o f in d o u t th e p a t h s a n d c h e c k if t h e r e e x is t s a n y b a c k u p f ile s ( . b a k ) w h ic h c o u ld e x p o s e s e r v e r in fo r m a t io n . I n o r d e r to u s e th is fu n c t io n , y o u n e e d t o n a v ig a te t h e w e b s it e fir s t . A fte r y o u lo g o n a w e b s it e a n d n a v ig a t e it , a w e b s it e h ie r a r c h y tr e e w ill b e b u ilt b y P a r o s a u to m a t ic a lly . T h e n y o u c a n d o t h e fo llo w in g t h in g s : • I f y o u w a n t t o s c a n a ll w e b s it e s o n t h e t r e e , y o u c a n th e n c lic k o n th e m e n u it e m " T r e e " → " S c a n A ll" t o t r ig g e r t h e s c a n n in g . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 4
  • 15. PAROS proxy tool • I f y o u j u s t w a n t t o s c a n o n e w e b s it e o n t h e t r e e , y o u c a n c lic k o n t h a t s it e in t h e t r e e p a n e l a n d c l i c k m e n u i t e m " T r e e " → " S c a n s e l e c t e d No d e " ( Y o u c a n a ls o r ig h t − c lic k o n t h e t r e e v ie w a n d c h o o s e t h e o p t io n s ) . C u r r e n t ly , P a r o s h a s t h e f o llo w in g c h e c k s : • H T T P P U T a llo w e d − c h e c k if t h e P U T o p t io n is e n a b le d a t s e r v e r d ir e c t o r ie s • D ir e c t o r y in d e x a b le − c h e c k if th e s e r v e r d ir e c t o r ie s c a n b e b r o w s a b le . • O b s o le t e f ile s e x is t e d − c h e c k if t h e r e e x is t s o b s o le t e f ile s a t • C r o s s − s it e s c r ip t in g − c h e c k if c r o s s − s it e s c r ip t in g ( X S S ) is a llo w e d o n th e q u e r y p a r a m e t e r s • D e fa u lt file s o n w e b s p h e r e s e r v e r – c h e c k if d e f a u lt f ile s e x is t e d o n w e b s p h e r e s e r v e r No t e t h a t a l l t h e a b o v e c h e c k s a r e b a s e d o n t h e U R L s i n t h e w e b s i t e h ie r a r c h y . T h a t m e a n s t h e s c a n n e r w ill c h e c k e a c h U R L f o r e a c h v u ln e r a b ilit y . P a r o s c a n a ls o s a v e a n d r e lo a d s e s s io n s . T h is is a g r e a t t o o l if y o u n e e d t o d o e x p lo r a t io n a t o n e p o in t t h e n la t e r d o a n a ly s is , o r if y o u w a n t t o c o m p a r e t w o s c a n ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 5
  • 16. PAROS proxy tool s e s s io n s . P a r o s a ls o a llo w s y o u t o s a v e a ll t h e r e p o r t s it p r o d u c e s fo r la t e r e x a m in a t io n o r in c lu s io n in a b r o a d e r a n a ly s is r e p o r t . Sc an n i n g Po l i c y I nfor m ati on g ath er i ng " O b s o le t e f ile " lo o k s fo r b a c k u p c o p ie s o f k n o w n f ile s o f t h e s e r v e r . " P r iv a t e I P d is c lo s u r e " lo o k s f o r r e f e r e n c e s t o in t e r n a l I P a d d r e s s e s w it h in t h e p a g e s a s w e ll a s in e r r o r m e s s a g e s . " S e s s io n I D in U R L r e w r it e " " O b s o le t e f ile e x t e n d e d c h e c k " Cli ent br ow ser " P a s s w o r d A u t o c o m p le t e in b r o w s e r " lo o k s fo r p a s s w o r d f ie ld s w h ic h a llo w s t h e m to b e s a v e d in t h e b r o w s e r . " S e c u r e p a g e b r o w s e r c a c h e " lo o k s f o r s e c u r e ( h t t p s ) p a g e s w h ic h a llo w s t h e m s e lv e s t o b e s t o r e d in t h e b r o w s e r c a c h e . ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 6
  • 17. PAROS proxy tool S er v er sec u r i ty " D ir e c t o r y b r o w s in g " lo o k s f o r d ir e c t o r ie s w h ic h d is c lo s e s t h e f ile s in s id e it . " I I S d e f a u lt f ile " lo o k s f o r d e f a u lt I I S ( I n t e r n e t I n f o r m a t io n S e r v ic e ) f ile s . " C o ld F u s io n d e f a u lt f ile " lo o k s f o r d e f a u lt C o ld F u s io n f ile s . " M a c r o m e d ia J R u n d e f a u lt f ile s " lo o k s f o r d e f a u lt M a c r o m e d ia J R u n f ile s . " T o m c a t s o u r c e f ile d is c lo s u r e " " B E A W e b L o g ic e x a m p le f ile s " lo o k s f o r d e f a u lt B E A W e b L o g ic f ile s . " I B M W e b S p h e r e d e f a u lt f ile s " lo o k s f o r d e f a u lt I B M W e b S p h e r e f ile s . " L o t u s D o m in o d e f a u lt f ile s " lo o k s f o r d e f a u lt L o t u s D o m in o f ile s . M i sc ellaneou s T h e r e a r e n o s e t t in g s u n d e r t h is t a b . . . I nj ec ti on " S Q L I n j e c t io n F in g e r p r in t in g " s e n d s c o m m o n S Q L in j e c t io n s t r in g s in t o in p u t f ie ld s a n d lo o k s f o r r e s p o n s e s t h a t m a t c h S Q L e r r o r m e s s a g e s . " C R L F in je c t io n " " S e r v e r s id e in c lu d e " " C r o s s s it e s c r ip t in g " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e . " C r o s s s it e s c r ip t in g w it h o u t b r a c k e t s " t r ie s t o in j e c t c r o s s s it e s c r ip t in g s t r in g s in t o in p u t f ie ld s a n d lo o k f o r t h e ir p r e s e n c e in t h e r e s p o n d in g p a g e , e x c e p t it d o e s n 't in j e c t t h e " < " a n d " > " b r a c k e t s in t h e t e s t s t r in g s . " P a r a m e t e r t a m p e r in g " " S Q L I n j e c t io n " " M S S Q L I n je c t io n E n u m e r a t io n " ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 7
  • 18. PAROS proxy tool C o n c l usi o n P a r o s is a w o n d e r f u l t o o l a n d s h o u ld d e f in it e ly b e f a m ilia r t o a n y w e b a p p lic a t io n s e c u r it y p r o fe s s io n a l. H o w e v e r , P a r o s c a p a b ilit ie s e x t e n d b e y o n d s e c u r it y a n d a r g u e f o r it 's u s e b y w e b d e v e lo p e r s a s w e ll. P a r o s c a n e a s ily m a n g le r e q u e s t s , b u t it a ls o d o e s a w o n d e r f u l j o b o f in s p e c t in g H T T P t r a f f ic a n d id e n t if y in g p r o b le m s . P a r o s is a n e x c e lle n t t o o l fo r t r a c k in g d o w n t h e c a u s e o f a w e b s e r v e r in f in it e r e d ir e c t lo o p , o r a c o o k ie m is c o n f ig u r a t io n , o r o t h e r e lu s iv e p r o b le m t h a t c a n d r iv e y o u m a d if y o u 'r e o n ly a r m e d w it h a w e b b r o w s e r . O f c o u r s e , t h e s a m e e a s e w it h w h ic h P a r o s c a n e x a m in e a n d m a n ip u la t e le g it im a t e t r a f f ic a llo w s p e n e t r a t io n t e s t e r s t o u s e P a r o s t o m a n ip u la t e tr a f f ic in m a lic io u s w a y s . P a r o s is a g r e a t t o o l f o r b lin d p e n e t r a t io n t e s t in g o r d e v e lo p in g p r o o f o f c o n c e p t w e b a p p lic a t io n e x p lo it s . P a r o s ' c r o s s p la t fo r m n a tu r e a ls o a r g u e s f o r it s v a lu e . L e a r n in g t o u s e P a r o s d o e s n 't t ie y o u to a n y p a r t ic u la r o p e r a t in g s y s te m o r p la t f o r m . P a r o s c a n b e u s e d in c o n ju n c t io n w it h a n y b r o w s e r , a n d w o r k s g r e a t a lo n g w it h F ir e f o x a n d p lu g in s lik e T a m p e r D a ta o r w e b d e v e lo p e r .O v e r a ll I fin d P a r o s is o n e o f t h o s e e a s y t o o ls I r e a c h fo r m o r e o ft e n o v e r t im e a n d I t h in k it w o u ld m a k e a v a lu a b le a d d it io n t o a n y w e b d e v e lo p e r o r a p p lic a t io n te s t e r s a r s e n a l. ‘™Ž‘ƒ†‡† ˆ”‘ Š – – ’ • ‹ – ‡• ‰ ‘‘‰ Ž‡ … ‘ • ‹ – ‡ ƒ… – ‹ ˜ ‡š ’ ‡”– ‘” Š – – ’ ƒ… – ‹ ˜ ‡š ’ ‡”– „ Ž‘‰ … ‘ ‹  1 8