The PowerPoint Deck

Note: Session includes demos and code samples.
For optimal viewing, please sit near the front!
Advanced Web Debugging
with Fiddler
Eric Lawrence
Program Manager
Internet Explorer
ericlaw@microsoft.com
GET /data HTTP/1.1
TRAFFIC CAPTURE
Typical Architecture
Firewall
Firefox
CryptoAPI
WinHTTP
Internet
Explorer
WinINET
Office
Fiddler
Upstream
Proxy
example.com
Mac
PC
Debug Across Devices
Linux
SmartPhone
Fiddler
Internet
FiddlerHook for Firefox
Fiddler, FiddlerCap, and IE9
TRAFFIC IMPORT
FiddlerCap
FiddlerCap is a lightweight capture tool
IE9 Developer Tools
IE9’s Developer Tools include a “Network” tab
Examine Requests and Responses
TRAFFIC ANALYSIS
Filtering Traffic
•Ignore Images & CONNECTs
•Application Type Filter
•Process Filter
•Using QuickExec
•Using Find
Output Options
•
•
•
•
•
•
•
Copy sessions to the clipboard
Store as a plaintext file
Extract binary response bodies
Archive to a database
Export a Visual Studio .WebTest file
Write your own…
Fiddler’s native “Session Archive ZIP” (SAZ)
Format
Traffic Comparison
Use WinDiff to compare
HTTP requests and
responses.
Traffic Comparison
“Viewer” mode allows examining multiple
captures side-by-side.
fiddler.exe -viewer
Rewriting HTTP(S) Traffic
TRAFFIC MODIFICATION
Automated Rewrites
•Simple Built-in Rules
•The HOSTS extension
Breakpoint Debugging
Use Fiddler inspectors
to modify requests and
responses….
Understanding Streaming
Timeline view of Buffering Mode
Timeline view of Streaming Mode
Request Builder
Create hand-built HTTP
requests, or modify
and reissue a request
previously captured.
Simple Filters
Flag, modify or remove headers from
all requests and responses.
AutoResponder
Replay previously captured or
generated traffic.
Powering Up Fiddler
SCRIPTING AND EXTENSIBILITY
Understanding Extensibility
Fiddler 2
ExecAction.exe
Your Automation
Inspector2
Inspector2
IFiddlerExtension
IFiddlerExtension
Fiddler ScriptEngine
Your FiddlerScript
Fiddler Proxy
Xceed*.dll
Makecert.exe
Lightweight extensibility using JavaScript
FIDDLERSCRIPT
FiddlerScript
FiddlerScript:
Request Modification
static function OnBeforeRequest(oS: Session){
if (oS.uriContains(".aspx"))
{
oS["ui-color"] = "red";
}
if (m_DisableCaching){
oS.oRequest.headers.Remove("If-None-Match");
oS.oRequest.headers.Remove("If-ModifiedSince");
oS.oRequest["Pragma"] = "no-cache";
}
}
FiddlerScript:
Response Modification
static function OnBeforeResponse(oS: Session)
{
oS.utilDecodeResponse();
oS.utilPrependToResponseBody("Injected Content!");
}
Powerful extensibility using any .NET Language
EXTENSIONS
neXpert
Watcher
Automated (passive) security analysis
http://websecuritytool.codeplex.com/
Integrating Fiddler into your tools
TEST INTEGRATION
ExecAction
The ExecAction.exe command line utility calls
into the OnExecAction function in script and
Fiddler extensions.
FiddlerCore
Fiddler application with extensions
Fiddler 2
Your application hosting FiddlerCore
YourApp.exe
ExecAction.exe
Inspector2
Inspector2
IFiddlerExtension
IFiddlerExtension
Fiddler ScriptEngine
Your FiddlerScript
FiddlerCore
Xceed*.dll
Makecert.exe
FiddlerCore
Makecert.exe
Programming with FiddlerCore
// Call Startup to tell FiddlerCore to begin
// listening on the specified port, register as
// the system proxy and decrypt HTTPS traffic.
Fiddler.FiddlerApplication.Startup(8877, true, true);
Fiddler.FiddlerApplication.BeforeResponse +=
delegate(Fiddler.Session oS) {
Console.WriteLine("{0}:HTTP {1} for {2}", oS.id,
oS.responseCode, oS.fullUrl);
};
// Call Shutdown to tell FiddlerCore to stop
// listening and unregister as the system proxy
Fiddler.FiddlerApplication.Shutdown();
Call To Action
• Try the Watcher & neXpert extensions
• Use FiddlerCap to collect traffic from the field
• Check out import from the IE9 Developer Tools
Questions and Resources
Please fill out an evaluation form
for this session (FT-50).
Thank you!
Resources
o Meet the IE Team in the MIX “Commons”
o http://www.fiddler2.com/mix/
o ericlaw@microsoft.com
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Internet Explorer, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.