Fiddler Book
advertisement
Debugging with
Fiddler
Eric Lawrence
@ericlaw
Let’s talk about you…
How did I end up here?
Once upon a time…
Oh no! What happened?
There must be a better way…
A simple idea takes shape…
All problems in computer science can
be solved by another level of
indirection.
- David Wheeler
Applications
Network
APIs
Proxy
Website
Only two problems
• Don’t know HTTP
• Don’t know C#
Fiddler: Evolution
Eleven years,
~35k lines of C#,
160+ release builds,
one full-length paperback,
a cross-country move to Telerik,
and two new supported platforms later…
New Website
New Documentation
New Platforms
Enhanced User-Interface
My current side-project
A quick tour around Fiddler…
UI Evolution – The Web Sessions List
Fiddler on Linux (Mint/Ubuntu)
Fiddler on Mac OSX
• It works, but due to UI glitches, you’re usually better off using VirtualBox / Parallels /
Fusion
Traffic Monitoring
Typical Architecture
PC
iOS
Mac
Debug Across Devices
Phones
Tablets
Fiddler Windows/Linux
Internet
Fiddler as a Reverse Proxy
http://fiddler2.com/r/?reverseproxy
Win8/8.1 “Immersive” Apps & IE11
.NET Applications
YourApp.exe.config or machine.config
<configuration>
<system.net>
<defaultProxy>
<proxy bypassonlocal="false"
usesystemdefault=“false"
proxyaddress=
"http://127.0.0.1:8888" />
</defaultProxy>
</system.net>
</configuration>
node.js
Different libraries offer different approaches…
var http = require('http');
var options = {
host: '127.0.0.1',
port: 8888,
path: 'https://bayden.com/echo.aspx',
headers: { Host: "bayden.com“ },
method: 'POST'
};
var req = http.request(options, function(res) {
console.log('STATUS: ' + res.statusCode + ‘ HEADERS: '
+ JSON.stringify(res.headers));
res.setEncoding('utf8');
res.on('data', function (chunk) { console.log('BODY: ' + chunk); });
});
req.write(‘Post Data\n');
req.end();
Protocols
HTTPS Traffic Decryption
For security reasons, proxies cannot normally “see” HTTPS requests. To
enable traffic decryption, Fiddler performs a “man-in-the-middle” attack.
Decrypting CONNECT tunnel to
GET
www.fiddler2.com
/fiddler2/
GET
/Fiddler2/Fiddler.css
GET
/Fiddler/images/FiddlerLogo.png
HTML5 WebSockets
WebSockets enable bi-directional socket
communications over a connection established
using HTTP or HTTPS.
FTP
Fiddler supports FTP traffic via a built-in FTP
gateway. FTP proxy is off-by-default.
SPDY / HTTP2
Fiddler recognizes and tags SPDY connections if
HTTPS-decryption is disabled.
SPDY / HTTP2
Fiddler cannot support SPDY until .NET’s
SslStream supports ALPN. Please vote for my
bug on CONNECT:
https://connect.microsoft.com/VisualStudio/feedb
ack/ViewFeedback.aspx?FeedbackID=812003
Also, please vote for this other SslStream bug:
https://connect.microsoft.com/VisualStudio/feedback/details/811998/system-netsecurity-sslstream-calls-localcertificateselection-callback-unconditionally-even-if-
Protocol Violations
prefs set fiddler.lint.HTTP True
Store & Load
Traffic
Output Formats
•
•
•
•
•
•
•
Fiddler Session Archive
Visual Studio .WebTest
HTML5 AppCache Manifest
WCAT Load Test
cURL Script
HTTP Archive Format (HAR)
Meddler Script
•
•
•
•
Copy to the clipboard
Store as a plaintext file
Extract binary response bodies
Archive to a database
Or write your own…
The SAZ file format
Session Archive Zip files contain:
• Request and response bytes
• Timing and other metadata
• WebSocket messages
• HTML index file
For security, SAZ files may be encrypted using AES
FiddlerCap – Simple captures
http://www.fiddlercap.com
User-interface localized to:
English | Français | Español | Português | 日本語 | русский
Import Formats
•
•
•
•
HTTP Archive Format (HAR)
Internet Explorer F12 Developer Tools (NETXML)
Telerik Test Studio LoadTest
Packet Capture (WireShark, tcpdump, NetMon)
• …or write your own
PCAP Import
Traffic Analysis
TextWizard
Convert text between popular web encodings.
Traffic Comparison
Use WinDiff or the differ of your choice
to compare Sessions’ requests and
responses.
Traffic Comparison
Use the Differ Extension to compare groups of Sessions at
once.
Filtering Traffic
•
•
•
•
>
>
Ignore Images & CONNECTs
Application Type Filter
Process Filter
Troubleshooting with Help menu
Regular Expression Support
SyntaxView Reformatting
ImageView DataURL Support
ImageView Tools Integration
Metadata & GeoLocation
HTML5 Media & Font previews
X-Download-Initiator
https://fiddler2.com/dl/EnableDownloadInitiator.reg
cols add @request.X-Download-Initiator
Traffic Manipulation
Automated Rewrites
• Simple built-in Rules
• The HOSTS command
Breakpoint Debugging
Use Fiddler Inspectors to modify
requests and responses….
Simple Filters
Flag, modify or remove headers from all requests and
responses.
Request Composer
Create hand-built requests, or modify and reissue a request
previously captured.
Supports:
•
•
•
•
•
Automatic authentication
File Uploads
Redirect chasing
Sequential URL Crawling
CURL commands
AutoResponder
Replay previously-captured or
generated traffic.
FiddlerScript
FiddlerScript – Request Modification
static function OnBeforeRequest(oS: Session)
{
if (oS.uriContains(".aspx"))
{
oS["ui-color"] = "red";
}
if (m_DisableCaching)
{
oS.oRequest.headers.Remove("If-None-Match");
oS.oRequest.headers.Remove("If-Modified-Since");
oS.oRequest["Pragma"] = "no-cache";
}
}
FiddlerScript – Response Modification
static function
OnBeforeResponse(oS: Session) {
oS.utilDecodeResponse();
oS.utilPrependToResponseBody(
"Injected Content!");
}
Powerups
Understanding Extensibility
Each component in red is your code…
ExecAction.exe
Script / Batch file
Fiddler.exe
Inspector2
Inspector2
IFiddlerExtension
IFiddlerExtension
Fiddler ScriptEngine
Your FiddlerScript
FiddlerCore
Xceed*.dll
Makecert.exe
Understanding UI Extensibility
1. RulesOptions
2. ToolsActions
3. Custom menus
4. Custom columns
5. ContextActions
6. QuickExec handlers
7. Views
8. Request Inspectors
9. Response Inspectors
10. Import & Export Transcoders
Type-specific Inspectors
Expert Perf Analysis with neXpert
intruder21 Web Fuzzer
•
By yamagata21
Watcher & x5s Security Auditors
http://websecuritytool.codeplex.com/ http://xss.codeplex.com/
WCF Binary Inspector
Integration
ExecAction.exe
• Calls into OnExecAction in script or extensions
• Alternatively, invoke directly by sending a Windows Message:
oCDS.dwData = 61181; // Magic Cookie
oCDS.cbData = lstrlen(wzData * sizeof(WCHAR));
oCDS.lpData = wzData;
SendMessage(
FindWindow(NULL, "Fiddler - HTTP Debugging Proxy"),
WM_COPYDATA,
NULL,
(LPARAM) &oCDS
);
Fiddler application with extensions
Your application hosting FiddlerCore
Fiddler.exe
YourApp.exe
ExecAction.exe
Inspector2
Inspector2
IFiddlerExtension
IFiddlerExtension
Fiddler ScriptEngine
Your FiddlerScript
FiddlerCore
Xceed*.dll
Makecert.exe
FiddlerCore
DotNetZip
CertMaker.dll
Programming with FiddlerCore
// Call Startup to tell FiddlerCore to begin
// listening on the specified port, register as
// the system proxy and decrypt HTTPS traffic.
Fiddler.FiddlerApplication.Startup(8877, true, true);
Fiddler.FiddlerApplication.BeforeResponse +=
delegate(Fiddler.Session oS) {
Console.WriteLine("{0}:HTTP/{1} for {2}", oS.id,
oS.responseCode, oS.fullUrl);
};
// Later, call Shutdown to tell FiddlerCore to stop
// listening and unregister as the system proxy
Fiddler.FiddlerApplication.Shutdown();
Fiddler Futures
•
•
•
•
WebSockets UI
SPDY/HTTP2
UI Enhancements
You tell me!
Thank you!!!
Eric Lawrence
@ericlaw
//fiddlerbook.com
