Paros v3.2.0Alpha was released on 10 Nov 2004.

–    Almost 90% completely rewrite of all codes!!!

–    Improved connectivity.  Better HTTP/1.1 keep alive support.

–    Improved authentication support
    .    support proxy authentication.  Basic and NTLM should be supported.
    .    support individual server authentication.

–    Improved session saving
    .    the sites hierarchy and history can be restored from session file.
    .    better performance by use of inline DB.
    .    support large sites testing both in scanning and spidering.

–    Better extensibility by supporting extensions and plugins

–    New extension design
    .    used for adding functions to core program
    .    to be further polished in final release

–    New plugin features
    .    each plugin represent a test
    .    support knowledge base for plugins sharing
    .    support dependency check.
    .    customer plugins can be created by inheriting different AbstractPluginXXX class.
    .    to be further polished in final release
–    New spider:
    .    URL crawling and form crawling. Forms will fill the options values with limited combinations.
    .    with configurable options.
    .    support start/stop/resume
    .    estimated % complete

–    New scanner:
    .    with configurable options
    .    with multiple hosts/threads
    .    support    stopping individual hosts.
    .    generated alerts can be viewed while scanning.

–    New filters:
    .    custom filter can be added by dropping into filter directory by using Filter interface.

–    New application logging support in log directory.

–    Improved user interface.
    .    Click on tab to maximize working panel.
    .    Support image viewing.

–    Support use of Ant (1.6.2) build.xml

–    Change of copyright owner to parent company.

Features in Paros v3.1.3

Paros v3.1.3 was released on 23 Aug 2004.

New Features:

  • Allow to run the scanner on a paticular request shown in the lower URL list (select the request on the URL list, right-click and choose ‘Scan Selected Node/Item’)
  • Allow to re-send a paticular request shown in the lower URL list (select the request on the URL list, right-click and choose ‘Re-send’). Check the correctness of the information such as the port before sending it out.
  • Allow to craft a request by clicking the menu “Tools” => “Send HTTP(S) Requests”
  • In the filter DetectUnsafeContent, add new IE vulnerability check, and improve ms-its checks and speed of other checks .

Bug Fixes:

  • Fix a problem in handling the wildcard ‘*’ when using IP addresses like a.b.* for bypassing the proxy

Features in Paros v3.1.2

Paros v3.1.2 was released on 19 Apr 2004.

New Features:

  • Add DetectUnsafeContent filter.  If this filter is enabled, it shows all unsafe content like ActiveX control, malicious vbscript, content type,  IE vulnerability exploit at runtime in the Output Window. 
  • Allow to clear URLs by right-clicking the ‘Clear all’ option at the lower URL list
  • Allow to clear all windows by clicking Menu=>Clear Current Session, or F3 key

Features in Paros v3.1.1

Paros v3.1.1 was released on 22 Mar 2004.

New Features:

  • add URL encoder/decoder in “Tools|Hash/Encoding…”
  • improve performance in reading HTTP header
  • add a ‘Comment’ panel in Log Analyzer to show comments
  • add a ‘Script’ panel in Log Analyzer to show scripts
  • add two filters ‘ReplaceRequestHeader’ and ‘ReplaceRequestBody’ to replace text in HTTP requests
  • rename cookietampering to CRLFInjection to better describe the scanner test case

Bug Fixes:

  • solved a bug that SQL scanner checks may use the tampered/modified query string for scanning
  • solved a bug that the report may be generated before the last scan thread ends.
  • modified ‘CookieDetectFilter’ filter to handle mutiple Set-Cookie lines in header.

Features in Paros v3.1

Paros v3.1 was released on 24 Jan 2004.

New Features:

  • revamp correlated request and response logs by using a list.  By clicking the ‘URL’ list, the corresponding request and response will be displayed.
  • add advanced log viewer (under menu ‘Session’) which allow easy browsing and filtering of log. Offline scan supported.
  • log all request and response into flat file (session_request.log and session_response.log in ‘project’ directory)
  • generate scanning report in HTML format with risk ranking, description and solutions.  Reliability is indicated as warning or suspicious.
  • support scanning stop (under menu Tree => Scan Stop).
  • support modifying the number of scanner threads in Options
  • added the following scanner checks:
    • SSL Cipher suite check
    • Cookie tampering check (CRLF injection)
    • Buffer overflow check
    • Session ID potential exposure in referer
    • Session ID locate (informational only)
    • Set-cookie check (informational only)
    • Server header capture (informational only)
    • Platform disclosure in comment check (informational only)
    • WebDAV check in HttpMethods

Bug Fixes:

  • solved an occasional infinite loop problem when HTTP 1.1 chunked encoding is in use.
  • solved a rare case in which the scanning analyser consumes too much CPU time.
  • solved bugs that cause the scanner skips the tree crawled by the spider.

Features in Paros v3.0.3

Paros v3.0.3 was released on 17 Dec.

New Features:

  • added new checks for WebLogic (8.1) example files.
  • added new checks for cache and private IP exposure.
  • added new checks for parameter tampering.
  • improved sql injection check on MS SQL. More blind injection checks added.
  • follow redirected response in scanning.
  • reduced scanning thread to 5 to ease bandwidth requirement.

Bug Fixes:

  • fixed a bug that may display the wrong test query when a sql injection vulnerability is found.
  • fixed a problem that the scanner may stop running when scanning those URLs crawled by spider.
  • fixed a bug in filters LogGetQuery and LogPostQuery

Features in Paros v3.0.2c

Paros v3.0.2c was released on 22 Nov.

  • Fixed a bug during conversion of 0x0D to 0x0D0x0A in JTextArea. This bug may affect the result of certain HTTP header modifications.
  • Enhanced to support some non-standard URIs (with special characters not defined in RFC) used by some web sites which may stop the proxy accessing those web pages.

Features in Paros v3.0.2b

Paros v3.0.2b was released on 27 Oct.

  • Fixed a major problem of intercepting HTTP when proxy chaining is used.

No new features was added.

Features added in Paros v3.0.2

Paros v3.0.2 was released on 20 Oct.

  • Improved SQL injection check
  • Added default file check for JRUN
  • Added default files check for IIS 4, IIS 5 and IIS 6
  • Added default files check for ColdFusion
  • Added “ReplaceResponseHeader” filter to automatically change pattern in response header
  • Added “ReplaceResponseBody” filter to automatically change pattern in response body
  • Fixed a problem for default file check with “Scan All” function

For the two new filters (ReplaceResponseHeader and ReplaceResponseBody), you should click on the filter name under the “Functions” column of Filters panel and set the pattern. You can input Java regular expression for the pattern field.

E.g. you can replace the “Set-cookie” line of response header by setting the pattern field as “Set-cookie: id=\S*” and replace with “Set-cookie: id=abcde“.

Features added in Paros v3.0.1

Paros v3.0.1 was released on 1 Sep.

  • Fix and improve the Cross-site script check when handling URL parameters.
  • Fix and improve the tunneling problem (a feature not yet documented) in command line.
  • Add SQL injection check.

For some users, there may be a connection problem when “HTTP 1.1 through proxy” is enabled in the browser. We think this is a problem with the Java JSSE package. If you encounter any page corruption under SSL, simply turn off “Use HTTP 1.1 under proxy connections” in your browser. There is no difference except little performance degrade.

Features added in Paros v3.0

Paros v3.0 was released under the Clarified Artistic License (an open source GPL-compatible license) while all previous versions (v2.x) is close source.

Features added in Paros v2.2

Paros v2.2 was released on 30 Jun 2003 with the following new functions:

  • Support HTTP 1.1 connections
  • Spider feature added
  • Allow scanning for cross-site scripting (XSS) vulnerability on the selected website after navigation
  • Allow removal of websites from the Tree view

Features added in Paros v2.1

Paros v2.1 was released on 24 Apr 2003 with the following functions:

  • support client certificate (Menu => Tools => Enable Client Cert.)
  • a few vulnerability checks added and the scanner engine improved
  • 2 more filters added to record GET/POST queries
  • hash function and base64 conversion added (Menu => Tools => Hash/Encoding)
  • Search text feature (click on the text area, press Ctrl+F or Menu => Edit => Find)

Compared with Paros v2.0, it takes longer to start Paros v2.1 as more Java classes are initialized at startup. We’ll try to improve it in later versions.