I am preparing a presentation for BlackHat and would
like your feedback on an issue. It has to deal with a
non-typical Paros configuration that greatly
increases the offensive power of Paros.
If you would kindly comment, I will include it in my
presentation, and mention any bugfix (if any) that is
planned. If this is a feature (that's just not widely
talked about) feel free to comment that no bugfix is
planned or needed. Or, is this a misuse of Paros that
can not be prevented.
Paros has a local Proxy. I assume that this proxy is
not meant to proxy arbitary users, but users who have
configured their browsers to use Paros. If I
configure a URL rewriting proxy to point at Paros as
its outbound proxy server (on localhost:8080), then I
can Man-In-the-Middle any user on the internet's Web
Sessions provided that I can redirect or 'phish' into
pointing at my external URL Rewriting proxy server.
With an upstream URL Rewriting proxy server running
on the same host as Paros, I can indescriminately
MITM any session with zero user configuration (from
the victims perspective).
They visit my proxy (which proxies through Paros) and
their entire session is logged and can be
Is Paros' 'Local Proxy' configuration intended for
Is this just a feature of Paros (which I have been
told) and that its nothing new or original, because
Paros is a MITM proxy.
Is this abuse of a Paros functionality, a bug, or
just a misuse that can not be prevented.
Note: I realize the difficulty of preventing this
configuration, but I wanted to notify you in the
event that you had an opinion one way or another, or
wanted to take action, one way or another.
URL Rewriting Proxy (URP) on host X
-configure outbound proxy for localhost:8080
Paros on host X
-no special configuration needed
Results: Anyone who visits URP is MITM'd silently,
without any evidence of it happening.
Log in to post a comment.