Paros proxy is a valuable and intensive vulnerability-assessment tool. It spiders through the entire website and executes various vulnerability tests. It also allows an auditor to intercept web traffic (HTTP/HTTPS) by setting up a local proxy between the browser and the actual target application. This mechanism helps an auditor tamper with or manipulate particular requests being made to the target application, in order to test it manually. Hence, Paros proxy acts as an active and passive web application security assessment tool. To start Paros proxy, navigate to Applications | Web Application Analysis | paros or in a Terminal, enter the following command:

# paros

This will bring up the Paros proxy window. Before you go through any practical exercises, you need to set up a local proxy (127.0.0.1, 8080) in your favorite browser. If you need to change any default settings, navigate to Tools | Options in the menu bar. This will allow you to modify the connection settings, local proxy values, HTTP authentication, and other relevant information. Once your browser has been set up, visit your target website.

The following are the steps for vulnerability testing and obtaining its report:

1. In our case, we browse through http://192.168.0.30/mutillidae and notice that it has appeared under the Sites tab of the Paros Proxy.
2. Right-click on http://192.168.0.30/mutillidae and choose Spider to crawl through the entire website. This will take a few minutes, depending on how big your website is.
3. Once the website crawling has finished, you can see all of the discovered pages in the Spider tab at the bottom. Additionally, you can chase up the particular request and response for a desired page by selecting the target website, and choosing a specific page on the left-hand panel of the Sites tab.
4. In order to trap any further requests and responses, go to the Trap tab on the right-hand panel. This is particularly useful when you decide to throw some manual tests against the target application. Moreover, you can construct your own HTTP request by navigating to Tools | Manual Request Editor.
5.  To execute the automated vulnerability testing, we select the target website under the Sites tab and navigate to Analyze | Scan All from the menu. Note that you can still select the specific types of security tests by navigating to Analyze | Scan Policy and then navigating to Analyze | Scan instead of Scan All.
6. Once the vulnerability testing is complete, you can see a number of security alerts on the Alerts tab at the bottom. These are categorized as High, Low, and Medium risk levels.

7. If you would like the scan report, navigate to Report | Last Scan Report in the menu bar. This will generate a report that lists all of the vulnerabilities found during the test session (/root/paros/session/LatestScannedReport.html):

We made use of the basic vulnerability-assessment test for our exemple scenario.