Debugging with Fiddler Eric Lawrence ) Follow along at

How did I end up here?

Once upon a time…

Oh no! What happened?!?

There must be a better way…

A simple idea takes shape… All problems in computer science can be solved by another level of indirection. - David Wheeler

Fiddler: Evolution Ten years, ~30k lines of C#, 120+ release builds, one full-length paperback, a cross-country move to Telerik, and two new supported platforms later…

My current side-project

New Website New Documentation  New Platforms  Enhanced User-Interface Roadmap

Fiddler Today: Demo A quick tour of Fiddler

UI Evolution - Web Sessions list

Fiddler on Linux (Mint/Ubuntu)

It works, but due to UI glitches, you’re usually better off using Parallels / Fusion Fiddler on Mac OSX

Traffic Monitoring

Typical Architecture

Debug Across Devices Fiddler Mac Internet iOS Phones PC Tablets

Fiddler as a Reverse Proxy

Win8/8.1 “Immersive” Apps & IE11

.NET Applications YourApp.exe.config or machine.config

Protocols

Proxies cannot normally “see” HTTPS requests HTTPS Traffic Decryption GET /fiddler2/ GET /Fiddler2/Fiddler.css GET /Fiddler/images/FiddlerLogo.png

Fiddler dynamically generates interception certificates chained to a self-signed root. HTTPS Traffic Decryption

HTML5 WebSockets WebSockets enable bi-directional socket communications over a connection established using HTTP or HTTPS

HTML5 WebSockets

FTP Fiddler supports FTP traffic via a built-in FTP gateway. FTP proxy is off-by-default. Fiddler recognizes and tags SPDY connections if HTTPS-decryption is disabled. SPDY/HTTP2.0

Protocol Violations prefs set fiddler.lint.HTTP True

Traffic Archiving

Copy sessions to the clipboard Store as a plaintext file Extract binary response bodies Archive to a database Export a Visual Studio.WebTest file Build a HTML5 AppCache Manifest Build a WCAT load-test script Fiddler has many output options

…or write your own

Session Archive Zip files contain: Request and response bytes Timing and other metadata HTML index file For security, SAZ files may be encrypted using AES The SAZ file format

FiddlerCap – Simple capture tool User-interface localized to: English | Français | Español | Português | 日本語 | русский

Traffic Analysis

TextWizard Convert text between popular web encodings.

Traffic Comparison Use WinDiff or the differ of your choice to compare Sessions’ requests and responses.

Traffic Comparison Use the Differ Extension to compare groups of Sessions at once.

Filtering Traffic Ignore Images & CONNECTs Application Type Filter Process Filter Troubleshooting with Help menu

Regular Expression Support

SyntaxView Reformatting

ImageView DataURL Support

ImageView Tools integration

ImageView Metadata & GeoLocation

X-Download-Initiator cols

HTML5 Media & Font previews

In Context

Internet Explorer F12 Developer tools

F12 Developer Tools vs. Fiddler F12 Network TabFiddler Display cache and network requests Display and modify only network requests Shows downloads from current process Shows traffic from all processes Shows post-decryption HTTPS traffic Decrypts HTTPS traffic via “man-in-the-middle” approach Less explicit mixed-content detection Exports F12 NetworkData.xmlImports F12 NetworkData.xml

Traffic Manipulation

Automated Rewrites Simple built-in Rules The HOSTS command

Breakpoint Debugging Use Fiddler Inspectors to modify requests and responses….

Simple Filters Flag, modify or remove headers from all requests and responses.

Request Composer Create hand-built HTTP requests, or modify and reissue a request previously captured. Supports Automatic authentication File Uploads Redirect chasing Sequential URL Crawling

AutoResponder Replay previously- captured or generated traffic.

FiddlerScript

FiddlerScript – Request Modification static function OnBeforeRequest(oS: Session) { if (oS.uriContains(".aspx")) { oS["ui-color"] = "red"; } if (m_DisableCaching) { oS.oRequest.headers.Remove("If-None-Match"); oS.oRequest.headers.Remove("If-Modified-Since"); oS.oRequest["Pragma"] = "no-cache"; }

FiddlerScript – Response Modification static function OnBeforeResponse(oS: Session) { oS.utilDecodeResponse(); oS.utilPrependToResponseBody( "Injected Content!"); }

Power up with Extensions

Understanding Extensibility Each component in red is your code… Fiddler.exe Fiddler ScriptEngine Inspector2 IFiddlerExtension FiddlerCore ExecAction.exe Your FiddlerScript Xceed*.dll Makecert.exe Script / Batch file

Understanding UI Extensibility 1.RulesOptions 2.ToolsActions 3.Custom menus 4.Custom columns 5.ContextActions 6.QuickExec handlers 7.Views 8.Request Inspectors 9.Response Inspectors 10.Import & Export Transcoders

Type-specific Inspectors

Expert Perf Analysis with neXpert

intruder21 Web Fuzzer By yamagata21

Watcher & x5s Security Auditors

WCF Binary Inspector

Integration

ExecAction.exe Calls into OnExecAction in script or extensions Alternatively, invoke directly by sending a Windows Message: oCDS.dwData = 61181; // Magic Cookie oCDS.cbData = lstrlen(wzData * sizeof(WCHAR)); oCDS.lpData = wzData; SendMessage( FindWindow(NULL, "Fiddler - HTTP Debugging Proxy"), WM_COPYDATA, NULL, (LPARAM) &oCDS );

Fiddler.exe Fiddler ScriptEngine Inspector2 IFiddlerExtension FiddlerCore ExecAction.exe YourApp.exe FiddlerCore Fiddler application with extensions Your application hosting FiddlerCore Your FiddlerScript Xceed*.dll Makecert.exe CertMaker.dll DotNetZip

Programming with FiddlerCore // Call Startup to tell FiddlerCore to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic. Fiddler.FiddlerApplication.Startup(8877, true, true); Fiddler.FiddlerApplication.BeforeResponse += delegate(Fiddler.Session oS) { Console.WriteLine("{0}:HTTP/{1} for {2}", oS.id, oS.responseCode, oS.fullUrl); }; // Later, call Shutdown to tell FiddlerCore to stop // listening and unregister as the system proxy Fiddler.FiddlerApplication.Shutdown();

Fiddler Futures WebSockets UI SPDY/HTTP2 UI Enhancements You tell me!

Thank //fiddlerbook.com Now Available