Best Paros Proxy Alternatives

Although Paros Proxy is still available, there are some worrying signs that should make you wary of downloading and installing it. The code archive is held in SourceForge, but it hasn’t been updated since 2013.

The web address is linked from SourceForge and has nothing about the tool and seems to have been overtaken by someone called Max who never really did anything with the site.

Before going on any further about Paros Proxy, let’s look at replacements to that system.

Here is our list of the best Paros Proxy alternatives:

  1. OWASP ZAP A fork of Paros Proxy, so if you are looking for the latest Paros Proxy version, look here. This web security system is supported by the Open Web Application Security Project and is maintained by a coordinated team of volunteers.
  2. Grabber Seeks out XSS and SQL injection, plus a long list of other web application security weaknesses.
  3. Wapiti Looks for XSS, file and backup disclosure, and many other security weaknesses on websites.
  4. Skipfish Crawls every page on a site and scans each for security weaknesses by using heuristic techniques.
  5. Ratproxy This website vulnerability checker includes SSL man-in-the-middle attack protection along an encrypted connection.
  6. SQLMap This free pen-testing tool specializes in spotting SQL injection attacks on a website, covering six typical database attack methods.
  7. Wfuzz A pen-testing tool for hardening web applications against cookie fuzzing, SQL injection, XSS, and authentication forcing.
  8. Vega A free web application vulnerability pen tester to spot XSS, SQL injection, directory listing, and file inclusion tricks among other possible attacks.
  9. W3af This is an attack audit framework that identifies SQL injection, XSS, and a total of 200 other possible vulnerabilities.

Do you need Paros Proxy?

Paros Proxy operates as a traffic interceptor between the server and a browser. This is an excellent way to scan for site vulnerabilities. However, there are other pen testing configurations that can be considered as good replacements for the tool. We didn’t just look at proxies as alternatives.

Paros Proxy

The processes of Paros Proxy show the requests sent by the browser and the responses sent by the web server in order to see the many data exchanges that occur in order to compose a web page. This identifies the different web servers involved in providing code for the page. Another feature in Paros Proxy is a crawler that will list all of the pages on a site.

Paros Proxy is useful when looking for possible vulnerabilities to hacker attacks, such as cross-site scripting (XSS) or SQL injection. However, given its age, the service is incapable of discovering new attack vectors.

When looking for alternatives to Paros Proxy, we focused on searching through free open-source software. As the main download site for Paros Proxy is SourceForge, we also prioritized other web application security solutions that are available on that code repository and looked at GitHub and the Google code repository as well.

The best Paros Proxy Alternatives

You can read more about each of our solid recommendations for Paros Proxy alternatives in the following sections.

1. OWASP ZAP

OWASP ZAP - alerts settings

ZAP stands for the Zed Attack Proxy. It is a fork of Paros Proxy and is still being refined and advanced by a well-organized community team. The open source project is under the management of the Open Web Application Security Project (OWASP).

The Zed Attack Proxy starts its testing process by crawling the site to be tested to log all accessible pages. It then lists those pages, giving the user the opportunity to command analysis of a specific page. The tool will look for SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), security misconfiguration, broken authentication and session management, ineffective access control, sensitive data exposure, unprotected APIs, and components with known vulnerabilities. In general, each scan highlights insufficient attack protection on a web server and outdated code on a page.

New users have a steep learning curve in order to get the best out of the tool because there are a lot of plug-ins available that allow the tool to be expanded and tailored. All of those adaptations are developed by the user community and so have been created to meet a specific need that many other ZAP users might need. The tool and all add-ons are free.

OWASP ZAP works in exactly the same way as Paros Proxy in that it operates as a proxy between the web server and a browser. You don’t need to host it on a remote server, though, it will run on the same computer that runs the browser. The code for the tool installs on Windows, Mac OS, Linux, and BSD Unix.

Key Features:

  • Fork of Paros Proxy
  • Fully managed development
  • Open-source
  • Site crawler
  • Free to use

EDITOR’S CHOICE

OWASP ZAP is our number one recommendation as a replacement of Paros Proxy because it is a fork of that vulnerability scanner. The ZAP project is properly managed and so the code is regularly overhauled, keeping it up to date with cybersecurity threats and free from vulnerabilities in its own procedures.

Operating System: Windows, Mac OS, Linux, and BSD Unix.

2. Wapiti

Wapiti3 - homepage screenshot

Wapiti has its own page at SourceForge.io and it is free to use, although the developers ask for donations. This tool crawls a site, identifying all accessible pages and the tests for vulnerabilities by launching a series of attacks to see whether they succeed. It doesn’t examine source code.

The vulnerability tests of Wapiti include file disclosure scans, database injection, CRLF injection, XSS, command execution possibilities, XML External Entity (XXE) injection, server-side request forgery (SSRF), Shellshock, and open redirects. It will search for the backup files containing sensitive information, look for known dangerous files on the webserver, check for .htaccess weaknesses, and try uncommon HTTP attacks.

Wapiti is a library of utilities that are launched at the command line – there is no GUI frontend for it.  The code will install on Windows and Linux.

Key Features:

  • Probes file access weaknesses
  • Attempts coded attacks
  • Command-line
  • Free to use

3. Skipfish

skipfish - screenshot

Skipfish uses a web crawler strategy to identify all accessible pages on a site and then automatically cycles through them, scanning for vulnerabilities. The report of results maps out the structure of the site’s file storage and lists any potential problems with each file.

The vulnerability probes check for SQL and PHP injection, server-side shell command injection, server-side XML injection, XSS, CSS inclusion problems, directory and redirection bypasses, and many other attack vectors.

Skipfish is free to use and it installs on Windows, Linux, Mac OS, and Free BSD. The code is available from a Google archive.

Key Features:

  • Browser-based report
  • Shows file hierarchy
  • Free to use

4. Ratproxy

ratproxy - security testing proxy - Ratproxy audit report screenshot

Ratproxy is very similar to Paros Proxy. However, its latest release is a little dated. It operates between the web server and a browser and its unique selling point is that it also checks SSL session establishment to look for man-in-the-middle attack vulnerabilities. A nice feature of this vulnerability scanner is that it is lightweight and doesn’t place too much load on its host.

The Ratproxy checks examine scripting and content vulnerabilities as well as file space security weaknesses and transmission security flaws. The service produces a report on each scanned web page, leaving it up to the user to find ways to close down any detected vulnerabilities.

Ratproxy is stored on a Google code archive and is free to use. It will install on Windows, Mac OS, Linux, and FreeBSD.

Key Features:

  • Checks transmission security
  • Examines SSL certificates
  • Free to use

5. sqlmap

sqlmap - screenshot

sqlmap is a free open source project with its code available on GitHub. As its name suggests, sqlmap focuses on SQL injection and database attacks.

The tool is capable of probing a long list of DBMSs including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, and MariaDB. As well as attempting a range of attacks to test for vulnerabilities, the tool has a range of database management utilities, such as password security and access rights checks.

sqlmap is written in Python and it will install on Windows, Linux, Mac OS, and FreeBSD.

Key Features:

  • SQL security
  • Database management tools
  • Free to use

6. Wfuzz

$ wfuzz -w wordlist/general/common.txt --hc 404 http://testphp.vulnweb.com/FUZZ
********************************************************
* Wfuzz 2.2 - The Web Bruteforcer                      *
********************************************************

Target: http://testphp.vulnweb.com/FUZZ
Total requests: 950

==================================================================
ID      Response   Lines      Word         Chars          Request
==================================================================

00022:  C=301      7 L        12 W          184 Ch        "admin"
00130:  C=403     10 L        29 W          263 Ch        "cgi-bin"
00378:  C=301      7 L        12 W          184 Ch        "images"
00690:  C=301      7 L        12 W          184 Ch        "secured"
00938:  C=301      7 L        12 W          184 Ch        "CVS"

Total time: 5.519253
Processed Requests: 950
Filtered Requests: 945
Requests/sec.: 172.1247
>>> for r in wfuzz.get_payload(range(100)).fuzz(hl=[97], url="http://testphp.vulnweb.com/listproducts.php?cat=FUZZ"):
...     print r
...
00125:  C=200    102 L       434 W         7011 Ch        "1"
00126:  C=200     99 L       302 W         4442 Ch        "2"

Wfuzz examines web traffic for site vulnerabilities. It will spot possibilities for XSS and SQL injection as well as LDAP access weaknesses and authentication loopholes. This testing tool is a “fuzzer.”

Fuzzing involves giving a program an unexpected, random, or invalid input in order to test whether it will fall over or hang because the programmer didn’t include a routine to deal with such responses. Fuzzing is a typical hacking technique, so Wfuzz tries all of those strategies that the website might face and highlights attacks that the web applications currently can’t handle.

$ wfpayload -z range,0-5
0
1
2
3
4
5

Wfuzz is a command-line utility, so it isn’t very attractive. Calls to this command can be built into scripts for test automation, enabling savvy users to build more comprehensive reports out of it. The utility is free to use and it will install on Windows, Mac OS, Linux, and FreeBSD. Wfuzz supports Python 3.

$ wfencode -e md5 test
098f6bcd4621d373cade4e832627b4f6

Key Features:

  • Can be launched from scripts
  • Command-line utility
  • Free to use

7. Vega

Subgraph Vega - Scan Info view

Vega is a bundle of vulnerability scanning services, which includes a proxy. There are three elements in this suite: Vega Scanner, Vega Proxy, and Proxy Scanner – each has its own capabilities for testing different aspects of a website’s delivery. The package has an attractive GUI interface, which makes this the easiest to use of all the Paros Proxy replacements on this list.

The proxy allows the use of Firefox or Chrome for testing and can assist in the assessment of SSL certificate validity as well as checking for vulnerabilities and loopholes in the web applications system.

The tool will check for susceptibility to XSS and SQL injection as well as examining access to directories and backups. Vega installs on Windows, Linux, and Mac OS and it is free to use. The software is very extensively documented with complete instructions available on how to download, install, adapt, and run the utility.

Key Features:

  • GUI interface
  • Proxy configuration
  • Free to use

8. w3af

w3af - homepage screenshot

w3af is available from a GitHub repository. It is a widely used free web vulnerability testing platform. The name “W3af” is an abbreviation of Web Application Attack and Audit Framework. The code for the platform can also be downloaded from the W3af website, which also has an extensive and well-presented documentation library.

The vulnerability detection strategies of W3af are dictated by plug-ins. Like the app itself, plugins are free and can be downloaded from the W3af website. The tool has a useful GUI interface, which makes operating the system and checking through results a very simple task.

The scanner will look for 200 vulnerabilities in a site, which include SQL injection, XSS, unprotected resources, and loose authentication systems.

A community forum at the W2af website gives access to tips and tricks from other users and the site also has a blog, which explains the current state of cybersecurity and alerts to new threats.

W3af installs on Linux, Mac OS, and BSD Unix.

Key Features:

  • GUI interface
  • Extendable
  • Free to use

Replace Paros Proxy

Although you might be very pleased with Paros Proxy, it is time to move on. Even the developers behind the tool have given up on it. This guide has given you some really attractive replacements to Paros Proxy and even includes the utility’s heir, the OWASP ZAP system.

Take a look at the attractive GUI interfaces that W3af and Vega have to offer. These consoles make vulnerability scanning a lot easier and they have search and filtering utilities to make diagnoses of the results into a straightforward task.