The web address is linked from SourceForge and has nothing about the tool and seems to have been overtaken by someone called Max who never really did anything with the site.

Before going on any further about Paros Proxy, let’s look at replacements to that system.

Here is our list of the best Paros Proxy alternatives:

  • OWASP ZAP A fork of Paros Proxy, so if you are looking for the latest Paros Proxy version, look here. This web security system is supported by the Open Web Application Security Project and is maintained by a coordinated team of volunteers.
  • Grabber Seeks out XSS and SQL injection, plus a long list of other web application security weaknesses.
  • Wapiti Looks for XSS, file and backup disclosure, and many other security weaknesses on websites.
  • Skipfish Crawls every page on a site and scans each for security weaknesses by using heuristic techniques.
  • Ratproxy This website vulnerability checker includes SSL man-in-the-middle attack protection along an encrypted connection.
  • SQLMap This free pen-testing tool specializes in spotting SQL injection attacks on a website, covering six typical database attack methods.
  • Wfuzz A pen-testing tool for hardening web applications against cookie fuzzing, SQL injection, XSS, and authentication forcing.
  • Vega A free web application vulnerability pen tester to spot XSS, SQL injection, directory listing, and file inclusion tricks among other possible attacks.
  • W3af This is an attack audit framework that identifies SQL injection, XSS, and a total of 200 other possible vulnerabilities.

Do you need Paros Proxy?

Paros Proxy operates as a traffic interceptor between the server and a browser. This is an excellent way to scan for site vulnerabilities. However, there are other pen testing configurations that can be considered as good replacements for the tool. We didn’t just look at proxies as alternatives.

The processes of Paros Proxy show the requests sent by the browser and the responses sent by the web server in order to see the many data exchanges that occur in order to compose a web page. This identifies the different web servers involved in providing code for the page. Another feature in Paros Proxy is a crawler that will list all of the pages on a site.

Paros Proxy is useful when looking for possible vulnerabilities to hacker attacks, such as cross-site scripting (XSS) or SQL injection. However, given its age, the service is incapable of discovering new attack vectors.

When looking for alternatives to Paros Proxy, we focused on searching through free open-source software. As the main download site for Paros Proxy is SourceForge, we also prioritized other web application security solutions that are available on that code repository and looked at GitHub and the Google code repository as well.

The best Paros Proxy Alternatives

You can read more about each of our solid recommendations for Paros Proxy alternatives in the following sections.

Our methodology for selecting Paros Proxy alternatives

We reviewed the market for Paros Proxy replacements and assessed the options based on the following criteria:

  • A packet sniffer for Web traffic
  • A tool that can identify exchanges in the delivery of a Web page
  • A system that can identify contributing components hosted on other servers
  • Detection of malicious data entry
  • A Web crawler to document all of the pages on a site
  • A free trial or a demo that provides an opportunity to assess the system before buying
  • Value for money from a Web traffic sniffer that can identify attacks at a reasonable price

1. OWASP ZAP

ZAP stands for the Zed Attack Proxy. It is a fork of Paros Proxy and is still being refined and advanced by a well-organized community team. The open source project is under the management of the Open Web Application Security Project (OWASP).

Key Features:

  • Fork of Paros Proxy
  • Fully managed development
  • Open-source
  • Site crawler
  • Free to use

The Zed Attack Proxy starts its testing process by crawling the site to be tested to log all accessible pages. It then lists those pages, giving the user the opportunity to command analysis of a specific page. The tool will look for SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), security misconfiguration, broken authentication and session management, ineffective access control, sensitive data exposure, unprotected APIs, and components with known vulnerabilities. In general, each scan highlights insufficient attack protection on a web server and outdated code on a page.

New users have a steep learning curve in order to get the best out of the tool because there are a lot of plug-ins available that allow the tool to be expanded and tailored. All of those adaptations are developed by the user community and so have been created to meet a specific need that many other ZAP users might need. The tool and all add-ons are free.

OWASP ZAP works in exactly the same way as Paros Proxy in that it operates as a proxy between the web server and a browser. You don’t need to host it on a remote server, though, it will run on the same computer that runs the browser. The code for the tool installs on Windows, Mac OS, Linux, and BSD Unix.

2. Wapiti

Pros:

  • Open source transparent project
  • Makes it easy to crawl lists and prioritize vulnerabilities
  • Offers numerous plugins that extend usability
  • Available for Windows, Mac OS, Linux, and BSD Unix

Cons:

  • Has a steeper learning curve than consumer-oriented products

EDITOR’S CHOICE

OWASP ZAP is our number one recommendation as a replacement of Paros Proxy because it is a fork of that vulnerability scanner. The ZAP project is properly managed and so the code is regularly overhauled, keeping it up to date with cybersecurity threats and free from vulnerabilities in its own procedures.

Operating System: Windows, Mac OS, Linux, and BSD Unix.

Wapiti has its own page at SourceForge.io and it is free to use, although the developers ask for donations. This tool crawls a site, identifying all accessible pages and the tests for vulnerabilities by launching a series of attacks to see whether they succeed. It doesn’t examine source code.

  • Probes file access weaknesses
  • Attempts coded attacks
  • Command-line
  • Free to use

The vulnerability tests of Wapiti include file disclosure scans, database injection, CRLF injection, XSS, command execution possibilities, XML External Entity (XXE) injection, server-side request forgery (SSRF), Shellshock, and open redirects. It will search for the backup files containing sensitive information, look for known dangerous files on the webserver, check for .htaccess weaknesses, and try uncommon HTTP attacks.

Wapiti is a library of utilities that are launched at the command line – there is no GUI frontend for it.  The code will install on Windows and Linux.

3. Skipfish

  • Completely free tool

  • Launches attacks to determine if they succeed – more reliable than proof of concept

  • Supports numerous templated scans

  • Available for Windows and Linux

  • No GUI – targeted more towards security specialists

Skipfish uses a web crawler strategy to identify all accessible pages on a site and then automatically cycles through them, scanning for vulnerabilities. The report of results maps out the structure of the site’s file storage and lists any potential problems with each file.

  • Browser-based report
  • Shows file hierarchy
  • Free to use

The vulnerability probes check for SQL and PHP injection, server-side shell command injection, server-side XML injection, XSS, CSS inclusion problems, directory and redirection bypasses, and many other attack vectors.

Skipfish is free to use and it installs on Windows, Linux, Mac OS, and Free BSD. The code is available from a Google archive.

4. Ratproxy

  • A lightweight tool with a simple GUI
  • Maps site structure and reports vulnerabilities as a simple report
  • Completely free
  • Available for Windows, Linux, Mac OS, and Free BSD

Ratproxy is very similar to Paros Proxy. However, its latest release is a little dated. It operates between the web server and a browser and its unique selling point is that it also checks SSL session establishment to look for man-in-the-middle attack vulnerabilities. A nice feature of this vulnerability scanner is that it is lightweight and doesn’t place too much load on its host.

  • Checks transmission security
  • Examines SSL certificates
  • Free to use

The Ratproxy checks examine scripting and content vulnerabilities as well as file space security weaknesses and transmission security flaws. The service produces a report on each scanned web page, leaving it up to the user to find ways to close down any detected vulnerabilities.

Ratproxy is stored on a Google code archive and is free to use. It will install on Windows, Mac OS, Linux, and FreeBSD.

5. sqlmap

  • Searches for content, scripting, and protocol vulnerabilities

  • Completely free to use

  • Relies on a simple lightweight interface

  • Is slightly outdated when compared to similar Paros Proxy alternatives

sqlmap is a free open source project with its code available on GitHub. As its name suggests, sqlmap focuses on SQL injection and database attacks.

  • SQL security
  • Database management tools
  • Free to use

The tool is capable of probing a long list of DBMSs including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, and MariaDB. As well as attempting a range of attacks to test for vulnerabilities, the tool has a range of database management utilities, such as password security and access rights checks.

sqlmap is written in Python and it will install on Windows, Linux, Mac OS, and FreeBSD.

6. Wfuzz

$ wfuzz -w wordlist/general/common.txt –hc 404 http://testphp.vulnweb.com/FUZZ

  • Wfuzz 2.2 - The Web Bruteforcer *

Target: http://testphp.vulnweb.com/FUZZ Total requests: 950

================================================================== ID Response Lines Word Chars Request

00022: C=301 7 L 12 W 184 Ch “admin” 00130: C=403 10 L 29 W 263 Ch “cgi-bin” 00378: C=301 7 L 12 W 184 Ch “images” 00690: C=301 7 L 12 W 184 Ch “secured” 00938: C=301 7 L 12 W 184 Ch “CVS”

Total time: 5.519253 Processed Requests: 950 Filtered Requests: 945 Requests/sec.: 172.1247

for r in wfuzz.get_payload(range(100)).fuzz(hl=[97], url=“http://testphp.vulnweb.com/listproducts.php?cat=FUZZ"): … print r … 00125: C=200 102 L 434 W 7011 Ch “1” 00126: C=200 99 L 302 W 4442 Ch “2”

Wfuzz examines web traffic for site vulnerabilities. It will spot possibilities for XSS and SQL injection as well as LDAP access weaknesses and authentication loopholes. This testing tool is a “fuzzer”.

  • Completely free

  • Open source transparent project

  • Specifically caters to identifying SQL attacks

  • Available for Windows, Linux, Mac OS, Free BSD

  • Can be launched from scripts

  • Command-line utility

  • Free to use

Fuzzing involves giving a program an unexpected, random, or invalid input in order to test whether it will fall over or hang because the programmer didn’t include a routine to deal with such responses. Fuzzing is a typical hacking technique, so Wfuzz tries all of those strategies that the website might face and highlights attacks that the web applications currently can’t handle.

$ wfpayload -z range,0-5 0 1 2 3 4 5

Wfuzz is a command-line utility, so it isn’t very attractive. Calls to this command can be built into scripts for test automation, enabling savvy users to build more comprehensive reports out of it. The utility is free to use and it will install on Windows, Mac OS, Linux, and FreeBSD. Wfuzz supports Python 3.

$ wfencode -e md5 test 098f6bcd4621d373cade4e832627b4f6

7. Vega

  • Examines a vast range of web traffic for vulnerabilities and attacks

  • Tests systems using random inputs and packet injection

  • Is a lightweight tool

  • Is completely free to use

  • Only available as a command-line tool – No data visualization

Vega is a bundle of vulnerability scanning services, which includes a proxy. There are three elements in this suite: Vega Scanner, Vega Proxy, and Proxy Scanner – each has its own capabilities for testing different aspects of a website’s delivery. The package has an attractive GUI interface, which makes this the easiest to use of all the Paros Proxy replacements on this list.

  • GUI interface
  • Proxy configuration
  • Free to use

The proxy allows the use of Firefox or Chrome for testing and can assist in the assessment of SSL certificate validity as well as checking for vulnerabilities and loopholes in the web applications system.

The tool will check for susceptibility to XSS and SQL injection as well as examining access to directories and backups. Vega installs on Windows, Linux, and Mac OS and it is free to use. The software is very extensively documented with complete instructions available on how to download, install, adapt, and run the utility.

8. w3af

  • Includes a bundle of vulnerability testing tools

  • Uses an intuitive GUI for simple navigation

  • Can validate SSL certificates

  • Is free to use

  • Can take some time to fully explore the platform

w3af is available from a GitHub repository. It is a widely used free web vulnerability testing platform. The name “W3af” is an abbreviation of Web Application Attack and Audit Framework. The code for the platform can also be downloaded from the W3af website, which also has an extensive and well-presented documentation library.

  • GUI interface
  • Extendable
  • Free to use

The vulnerability detection strategies of W3af are dictated by plug-ins. Like the app itself, plugins are free and can be downloaded from the W3af website. The tool has a useful GUI interface, which makes operating the system and checking through results a very simple task.

The scanner will look for 200 vulnerabilities in a site, which include SQL injection, XSS, unprotected resources, and loose authentication systems.

A community forum at the W2af website gives access to tips and tricks from other users and the site also has a blog, which explains the current state of cybersecurity and alerts to new threats.

W3af installs on Linux, Mac OS, and BSD Unix.

Replace Paros Proxy

Although you might be very pleased with Paros Proxy, it is time to move on. Even the developers behind the tool have given up on it. This guide has given you some really attractive replacements to Paros Proxy and even includes the utility’s heir, the OWASP ZAP system.

  • Uses plugins to extend the functionality

  • Ideal for in-depth auditing

  • Can scan for over 200 vulnerabilities including SQL and XSS attacks

  • Features a simple GUI interface

  • Better suited for security professionals

Take a look at the attractive GUI interfaces that W3af and Vega have to offer. These consoles make vulnerability scanning a lot easier and they have search and filtering utilities to make diagnoses of the results into a straightforward task.

  • OWASP ZAP
  • Grabber
  • Wapiti
  • Skipfish
  • Ratproxy
  • SQLMap
  • Wfuzz
  • Vega
  • W3af