Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Tuesday, May 31, 2011

Web Parameter Tampering

Paros is most frequently used tool by the application penetration tester. This is a proxy kind of tool which acts as a proxy between the browser and the web server. That means all the request from browser to web server and all the response from web server to browser will flow through this tool.
Using this tool user can manipulate parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.
This tool has the capability to do SSL negotiation with the certificate server, and shows the encrypted traffic in clear text. This tool has the capability to do spider and scan of the application for certain kind of vulnerabilities.

To run tool successfully you have to do the proxy setting in the tool as well as in the browser. By default this tool will run on port “8080”, so set the IP as “localhost” or “” and port number as “8080” in the browser proxy.Set the same in the "Local Proxy" window of Paros.

If you are accessing internet through any proxy server then to run this tool on any internet application you have to pass the proxy server IP address and authentication credential in the connection window of Paros.

No comments:

Post a Comment