Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

Code Camp 2013 Sponsors

advertisement 
Gold
Silver Bronze
Eric Lawrence
@ericlaw
Follow along at http://getfiddler.com
Origins
Once upon a time…
Oh no! What happened?!?
There must be a better way…
A simple idea takes shape…
Applications
Network
APIs
Proxy
Website
All problems in computer science can be solved by another level of indirection
- David Wheeler
Fiddler: Evolution
Ten years,
~30k lines of C#,
120+ release builds,
a cross-country move to Telerik,
and two new supported Platforms later…
My current side-project
Roadmap




New Website
New Documentation
New Platforms
Enhanced User-Interface
Fiddler Today
Demo
UI Evolution - Web Sessions list
Fiddler on Linux

Linux Mint & Ubuntu
Fiddler on Mac OSX

It works, but due to UI glitches, you’re usually
better off using Parallels
Traffic Monitoring
Typical Architecture
Phones
Tablets
iOS
Mac
PC
Debugging Across Devices
Fiddler
Internet
Fiddler as a Reverse Proxy
http://fiddler2.com/r/?reverseproxy
Firefox Configuration
Use the FiddlerHook add-on or configure
Tools > Options > Advanced > Network
> Connection Settings > Use system proxy settings
Win 8 “Store Apps” & IE11
.NET Applications
YourApp.exe.config
<configuration>
<system.net>
<defaultProxy>
<proxy bypassonlocal="false"
usesystemdefault=“false"
proxyaddress=
"http://127.0.0.1:8888" />
</defaultProxy>
</system.net>
</configuration>
Protocols
HTTPS Traffic Decryption
Proxies cannot normally “see” HTTPS requests
GET
/fiddler2/
GET
/Fiddler2/Fiddler.css
GET
/Fiddler/images/FiddlerLogo.png
HTTPS Traffic Decryption
Fiddler dynamically generates interception
certificates chained to a self-signed root.
HTML5 WebSockets
HTML5 WebSockets
WebSockets enable bidirectional socket
communications over a
connection established
using HTTP or HTTPS
FTP
Fiddler supports FTP traffic via a built-in FTP
gateway. FTP proxy is off-by-default.
SPDY/HTTP2.0
Fiddler recognizes and tags SPDY connections if
HTTPS-decryption is disabled.
Protocol Violation
prefs set fiddler.lint.HTTP True
Traffic Archiving
Fiddler has many output options
Copy sessions to the clipboard
 Store as a plaintext file
 Extract binary response bodies
 Archive to a database
 Export a Visual Studio .WebTest file
 Build a HTML5 AppCache Manifest
 Build a WCAT load-test script

…or write your own
The SAZ file format
Session Archive Zip files contain:
Request and response bytes
 Timing and other metadata
 HTML index file

For security, SAZ files may be encrypted
FiddlerCap – Lightweight capture tool
http://www.fiddlercap.com
User-interface localized to:
English | Français | Español | Português | 日本語 | русский
Traffic Analysis
TextWizard
Convert text between popular web encodings.
Traffic Comparison
Use WinDiff or the
differ of your choice to
compare Sessions’
requests and
responses.
Traffic Comparison
Use the Differ Extension to compare sets of sessions
at once.
Filtering Traffic
Ignore Images & CONNECTs
 Application Type Filter
 Process Filter
 Troubleshooting with Help menu

>
>
Regular Expression Support
SyntaxView Reformatting
ImageView DataURL Support
ImageView Tools integration
ImageView Metadata & GeoLocation
Better Together: X-Download-Initiator
https://fiddler2.com/dl/EnableDownloadInitiator.reg
cols add @request.X-Download-Initiator
HTML5 Media & Font previews
In Context
Internet Explorer F12 Developer tools
F12 Developer Tools vs. Fiddler
F12 Network Tab
Display cache and network
requests
Fiddler
Display and modify only
network requests
Shows downloads from current
process
Shows post-decryption HTTPS
traffic
Shows traffic from all
processes
Decrypts HTTPS traffic via
“man-in-the-middle” approach
Excellent
JavaScript Formatter
Less explicit mixed-content
detection
Exports F12 NetworkData.xml
Imports F12 NetworkData.xml
Scenario
Traffic Manipulation
Automated Rewrites
Simple built-in Rules
 The HOSTS command

Breakpoint Debugging
Use Fiddler
Inspectors to modify
requests and
responses….
Simple Filters
Flag, modify or remove headers
from all requests and responses.
Request Composer
Create hand-built HTTP requests, or modify
and reissue a request previously captured.
Supports
• Automatic
authentication
• File Uploads
• Redirect
chasing
• Sequential
URL Crawling
AutoResponder
Replay
previouslycaptured or
generated
traffic.
FiddlerScript
FiddlerScript – Request Modification
static function OnBeforeRequest(oS: Session){
if (oS.uriContains(".aspx"))
{
oS["ui-color"] = "red";
}
if (m_DisableCaching){
oS.oRequest.headers.Remove("If-None-Match");
oS.oRequest.headers.Remove("If-Modified-Since");
oS.oRequest["Pragma"] = "no-cache";
}
}
FiddlerScript – Response Modification
static function OnBeforeResponse(oS: Session) {
oS.utilDecodeResponse();
oS.utilPrependToResponseBody("Injected Content!");
}
Powering up with
Extensions
Understanding Extensibility
Each component in red is your code…
Fiddler.exe
ExecAction.exe
Script / Batch file
Inspector2
Inspector2
IFiddlerExtension
IFiddlerExtension
Fiddler ScriptEngine
Your FiddlerScript
FiddlerCore
Xceed*.dll
Makecert.exe
Understanding UI Extensibility
1. RulesOptions
2. ToolsActions
3. Custom menus
4. Custom columns
5. ContextActions
6. QuickExec handlers
7. Views
8. Request Inspectors
9. Response Inspectors
10.Import & Export Transcoders
Type-specific Inspectors
Expert Perf Analysis with neXpert
intruder21 Web Fuzzer

By yamagata21
Watcher & x5s Security Auditors
http://websecuritytool.codeplex.com/
http://xss.codeplex.com/
WCF Binary Inspector
Test Integration
ExecAction.exe
Calls into OnExecAction in script or
extensions
 Alternatively, invoke directly by sending a
Windows Message:

oCDS.dwData = 61181; // Magic Cookie
oCDS.cbData = lstrlen(wzData * sizeof(WCHAR));
oCDS.lpData = wzData;
SendMessage(
FindWindow(NULL, "Fiddler - HTTP Debugging
Proxy"),
WM_COPYDATA,
NULL,
(LPARAM) &oCDS
);
Fiddler application with
extensions
Fiddler.exe
Your application hosting
FiddlerCore
YourApp.exe
ExecAction.exe
Inspector2
Inspector2
IFiddlerExtension
IFiddlerExtension
Fiddler ScriptEngine
Your FiddlerScript
FiddlerCore
Xceed*.dll
Makecert.exe
FiddlerCore
DotNetZip
CertMaker.dll
Programming with FiddlerCore
// Call Startup to tell FiddlerCore to begin
// listening on the specified port, register as
// the system proxy and decrypt HTTPS traffic.
Fiddler.FiddlerApplication.Startup(8877, true, true);
Fiddler.FiddlerApplication.BeforeResponse +=
delegate(Fiddler.Session oS) {
Console.WriteLine("{0}:HTTP {1} for {2}", oS.id,
oS.responseCode, oS.fullUrl);
};
// Call Shutdown to tell FiddlerCore to stop
// listening and unregister as the system proxy
Fiddler.FiddlerApplication.Shutdown();
Fiddler Futures




Enhanced WebSockets Support
.NET 4.5.1
SPDY/HTTP2
You tell me!
Thank you!
@ericlaw
#fiddler2
//fiddler2.com
//fiddlerbook.com
Now Available
Related documents
About GeoEdge - Fiddler Book
About GeoEdge - Fiddler Book
Fiddler Book
Fiddler Book
The PowerPoint Deck
The PowerPoint Deck
Fiddler PowerPoint
Fiddler PowerPoint
*****************:***************************3***4***5***6***7***8***9
*****************:***************************3***4***5***6***7***8***9
Paramount Theatre Fiddler on the Roof Advance photo key Please
Paramount Theatre Fiddler on the Roof Advance photo key Please
fiddler crab ppt #2 - Jsu
fiddler crab ppt #2 - Jsu
She`ll Be Comin` Round the Mountain
She`ll Be Comin` Round the Mountain
Fiddler Web Debugger
Fiddler Web Debugger
Marc Chagall Powerpoint Presentation
Marc Chagall Powerpoint Presentation
正向代理(Forward Proxy)
正向代理(Forward Proxy)
Download
advertisement