NETWORK WORLD NEWSLETTER: MARK GIBBS ON WEB APPLICATIONS 11/08/04 Today's focus: Paros provides a diagnostic proxy
Dear [EMAIL PROTECTED], In this issue: * Paros Proxy * Links related to Web Applications * Featured reader resource _______________________________________________________________ This newsletter is sponsored by AVAYA SUPERCHARGE YOUR CONTACT CENTER TODAY Avaya offers unique, compelling and profitable applications for contact centers. Our voice server consolidation reduces capital expenditures and virtual site consolidation increases staffing efficiency. Customer calls are connected to the right resource the first time. Download our Free Best Practice White Paper at avaya.com/driverevenue. http://www.fattail.com/redir/redirect.asp?CID=86127 _______________________________________________________________ SECURTIY SUMMIT: CAN SECURITY BE A COMPETITIVE EDGE? Recently 23 prominent IT executives and academics gathered at Dartmouth College in Hanover, NH for a daylong roundtable to address such questions. CIOs and VPs from some of the largest and most well-known companies in the US shared with peers their security fears, goals, frustrations and challenges. Find out more: http://www.fattail.com/redir/redirect.asp?CID=87875 _______________________________________________________________ Today's focus: Paros provides a diagnostic proxy By Mark Gibbs Web applications have gone from being a novelty to becoming the meat and potatoes of many IT diets. But as we build ever more complex Web applications infrastructures we need new tools to help us understand how the flow of communications really work. We also need to look for security problems because like any other new technology, Web applications present us with new risks. I just found a terrific tool for tracking Web application traffic and checking Web application integrity: Paros Proxy, published by ProofSecure.com (see editorial links below). Paros Proxy - or simply "Paros" - is a Java application (JRE 1.4.x) that can not only monitor and capture all HTTP and HTTPS data passing between servers and clients, it can also track cookies and form fields and allows you to modify and resend individual requests. It also supports proxy-chaining, filtering and performs intelligent vulnerability scanning. Paros can be assigned to any ports, the defaults being 8080 for HTTP and 8443 for SSL. It is worth noting that because Paros acts as a "man-in-the-middle" and needs to use its own certificate to decrypt the SSL messages, you will get a certificate validity warning shown in your browser. You need to accept the certificate or import it to suppress the warning. As clients request content via Paros their transactions are tracked. Once that data is logged Paros offers a scanner function to scan the Web site hierarchy (or a part of it) and can look for common server misconfigurations. Currently, Paros checks for HTTP PUT allowed, directory indexable, if obsolete files exist, if cross-site scripting (XSS) is allowed on the query parameters, default files for the Websphere server and ColdFusion. Paros will exhaustively test throughout the hierarchy which ProofSecure claims is "more accurate" than other vulnerability scanners. The filter feature can detect and alert you of the occurrence of predefined patterns in HTTP messages. These filters include logging all of the accepted cookies, logging all of the HTTP and HTTPS GET and POST queries sent from the client. The current version of Paros (v3.1.3) also includes a beta release of a spidering system to crawl Web sites and gather as many URL links as possible. It supports cookies and proxy chaining, but cannot crawl SSL Web sites with invalid certificates, isn't multi-threaded, will have problems with 'malformed' URLs and will not see URLs generated by JavaScript. When you click on a logged transaction Paros displays it separated into its header and body sections. Right-clicking on the transaction reveals a menu that lets run a security scan on the target URL or re-send the request. Re-sending brings up a new interface that allows you to edit the request and displays the raw results (we would love to see the ability to load the response into a standard browser so that the contents could be seen properly rendered). This is quite a technical tool and fantastically useful in diagnosis and analysis. It will give you a deep insight into how your Web applications and their clients are communicating. Paros Proxy is quite a tool. And it is free. RELATED EDITORIAL LINKS ProofSecure.com http://www.proofsecure.com/ Paros Proxy user guide http://www.proofsecure.com/paros_user_guide.pdf Paros Proxy download http://www.proofsecure.com/download.shtml _______________________________________________________________ To contact: Mark Gibbs Mark Gibbs is a consultant, author, journalist, and columnist and he writes the weekly Backspin and Gearhead columns in Network World. We'll spare you the rest of the bio but if you want to know more, go to <http://www.gibbs.com/mgbio>. Contact him at <mailto:[EMAIL PROTECTED]> _______________________________________________________________ This newsletter is sponsored by Cisco Systems Special Report: Bridging the Gap; Enterprise ROI IT professionals today don't indulge in the latest-greatest technology for their own sake; instead they concentrate efforts on projects that are most likely to help achieve business goals. Read about the challenges and opportunities when IT starts 'bridging the gap' and directly contributes to enterprise ROI. http://www.fattail.com/redir/redirect.asp?CID=88014 _______________________________________________________________ ARCHIVE LINKS Archive of the Web Applications newsletter: http://www.nwfusion.com/newsletters/web/index.html _______________________________________________________________ Bandwidth or latency? How to solve application performance issues With more users at the edge, and more of the infrastructure at headquarters, how are enterprises increasing business productivity and application performance? Is more bandwidth the answer? Find out now. http://www.fattail.com/redir/redirect.asp?CID=88062 _______________________________________________________________ FEATURED READER RESOURCE NEW! Website dedicated to Networking for Small Business now available The editors of NW Fusion and PC World have combined all their expert advice, authority, and know-how into a powerful new tool for small businesses, the new Networking for Small Business website. Get news, how-to's, product reviews, and expert advice specifically tailored to your small business needs. Find help with Security, Broadband, Networking, Hardware, Software, and Wireless & Mobile technology at: <http://www.networkingsmallbusiness.com/> _______________________________________________________________ May We Send You a Free Print Subscription? You've got the technology snapshot of your choice delivered at your fingertips each day. Now, extend your knowledge by receiving 51 FREE issues to our print publication. Apply today at http://www.subscribenw.com/nl2 International subscribers click here: http://nww1.com/go/circ_promo.html _______________________________________________________________ SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World e-mail newsletters, go to: <http://www.nwwsubscribe.com/Changes.aspx> To unsubscribe from promotional e-mail go to: <http://www.nwwsubscribe.com/Preferences.aspx> To change your e-mail address, go to: <http://www.nwwsubscribe.com/ChangeMail.aspx> Subscription questions? Contact Customer Service by replying to this message. This message was sent to: [EMAIL PROTECTED] Please use this address when modifying your subscription. _______________________________________________________________ Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: <mailto:[EMAIL PROTECTED]> Inquiries to: NL Customer Service, Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 For advertising information, write Kevin Normandeau, V.P. of Online Development, at: <mailto:[EMAIL PROTECTED]> Copyright Network World, Inc., 2004 ------------------------ This message was sent to: [EMAIL PROTECTED]
