Debugging with Fiddler

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
OhioNET EZProxy Service
Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
CGI & HTML forms CGI Common Gateway Interface  A web server is only a pipe between user-agents  and content – it does not generate content.
Advanced Web Debugging
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
CIS101 Introduction to Computing Week 05. Agenda Your questions Exam next week - Excel Introduction to the Internet & HTML Online HTML Resources Using.
CIS101 Introduction to Computing Week 05. Agenda Your questions CIS101 Survey Introduction to the Internet & HTML Online HTML Resources Using the HTML.
1 Computing for Todays Lecture 22 Yumei Huo Fall 2006.
Introduction to HTML 2006 CIS101. What is the Internet? Global network of computers that are connected and communicate via a series of Protocols Protocols.
Introduction to HTML 2006 INT197B. What is the Internet? Global network of computers that are connected and communicate via a series of Protocols Protocols.
Introduction to HTML 2004 CIS101. What is the Internet? Global network of computers that are connected and communicate via a series of Protocols Protocols.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
CIS101 Introduction to Computing Week 06. Agenda Your questions Excel Exam during second hour Our status after the snow day Introduction to the Internet.
Introducing Fiddler Web Debugging for Performance and Operations
Advanced Web Debugging with Fiddler Eric Lawrence Program Manager Internet Explorer Note: Session includes demos and code samples.
Advanced Web Debugging with Fiddler Eric Lawrence Program Manager Internet Explorer Note: Session includes demos and code samples.
Gold Silver Bronze. Eric Follow along at
Fiddler. Introducing Fiddler HTTP/HTTPS Debugger Runs as a proxy server on the local machine or on a remote server Written in C# (.NET Framework v2.0)
Note: Session includes demos and code samples. For optimal viewing, please sit near the front!
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Steganography Cyber Security Camp, July 22, 2015 Rodrigo Sardiñas Dr. David Umphress William Frazier.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
INTRODUCTION TO WEB DATABASE PROGRAMMING
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
Agenda  Terminal Handling in Unix File Descriptors Opening/Assigning & Closing Sockets Types of Sockets – Internal(Local) vs. Network(Internet) Programming.
Crystal Hoyer Program Manager IIS Team Preview of features that will be announced at MIX09 Please do not blog, take pictures or video of session.
 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.
Web application architecture
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Web Page Design I Retest Terms Review. 1. Web pages are created using a language known as ___________. The coding of this language must follow specific.
World Wide Web Hypertext model Use of hypertext in World Wide Web (WWW) WWW client-server model Use of TCP/IP protocols in WWW.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
Web HTTP Hypertext Transfer Protocol. Web Terminology ◘Message: The basic unit of HTTP communication, consisting of structured sequence of octets matching.
Chapter 8 Collecting Data with Forms. Chapter 8 Lessons Introduction 1.Plan and create a form 2.Edit and format a form 3.Work with form objects 4.Test.
IOS and Android with Windows Azure Websites Name Title Address Website.
Integrating and Troubleshooting Citrix Access Gateway.
TCP/IP (Transmission Control Protocol / Internet Protocol)
Saving State on the WWW. The Issue  Connections on the WWW are stateless  Every time a link is followed is like the first time to the server — it has.
2007cs Servers on the Web. The World-Wide Web 2007 cs CSS JS HTML Server Browser JS CSS HTML Transfer of resources using HTTP.
1 WWW. 2 World Wide Web Major application protocol used on the Internet Simple interface Two concepts –Point –Click.
IS-907 Java EE World Wide Web - Overview. World Wide Web - History Tim Berners-Lee, CERN, 1990 Enable researchers to share information: Remote Access.
Module: Software Engineering of Web Applications Chapter 2: Technologies 1.
Internet Applications (Cont’d) Basic Internet Applications – World Wide Web (WWW) Browser Architecture Static Documents Dynamic Documents Active Documents.
What’s New in Fiddler2 Eric Lawrence fiddler2.com/perf/
Form Processing Week Four. Form Processing Concepts The principal tool used to process Web forms stored on UNIX servers is a CGI (Common Gateway Interface)
COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.
IE Developer Tools Jonathan Seitel Program Manager.
Debugging with Fiddler Eric Lawrence ) Follow along at
Windows Azure and iOS Chris Risner Windows Azure Technical Evangelist Microsoft
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Fiddler and Your Website Robert Boedigheimer. About Me Web developer since 1995 Columnist for aspalliance.com Pluralsight Author 3 rd Degree Black Belt,
XP Creating Web Pages with Microsoft Office
Distributed Control and Measurement via the Internet
Essential tools for implementing and testing websites
z/Ware 2.0 Technical Overview
Debugging Your Website with Fiddler and Chrome Developer Tools
Implementing a service-oriented architecture using SOAP
Explore web development with Microsoft ASP.NET Core 1.0
Network Analyzer :- Introduction to Wireshark
Presentation transcript:

Debugging with Fiddler Eric Lawrence @ericlaw

Let’s talk about you…

How did I end up here? Did I imagine that I’d grow up to have a network protocol as my license plate?

In a word, no. But after a decade of obsession with astronautics, I realized I was only really interested in technology, and specifically software.

Once upon a time…

Oh no! What happened?

There must be a better way…

A simple idea takes shape… All problems in computer science can be solved by another level of indirection. - David Wheeler

Only two problems Don’t know HTTP Don’t know C#

Fiddler: Evolution Eleven years, ~35k lines of C#, 160+ release builds, one full-length paperback, a cross-country move to Telerik, and two new supported platforms later…

New Website New Documentation New Platforms Enhanced User-Interface

My current side-project

A quick tour around Fiddler…

UI Evolution – The Web Sessions List

Fiddler on Linux (Mint/Ubuntu) Limitations: No script engine. No WebView. No automatic proxy chaining. UI very glitchy on Mac.

Fiddler on Mac OSX It works, but due to UI glitches, you’re usually better off using VirtualBox / Parallels / Fusion Limitations: No script engine. No WebView. No automatic proxy chaining. UI very glitchy on Mac.

Traffic Monitoring

Typical Architecture

Fiddler Windows/Linux Debug Across Devices PC Mac iOS Fiddler Windows/Linux Internet Tablets Phones

Fiddler as a Reverse Proxy http://fiddler2.com/r/?reverseproxy http://fiddler2.com/r/?reverseproxy

Win8/8.1 “Immersive” Apps & IE11 AppContainer blocks “loopback” network connections. For debugging purposes, you can disable that blocking. Ctrl+Click to exempt all AppContainers http://blogs.msdn.com/b/fiddler/archive/2011/12/10/fiddler-windows-8-apps-enable-loopback-network-isolation-exemption.aspx

.NET Applications YourApp.exe.config or machine.config <configuration>   <system.net>     <defaultProxy>       <proxy bypassonlocal="false" usesystemdefault=“false" proxyaddress= "http://127.0.0.1:8888" />     </defaultProxy>   </system.net> </configuration> http://www.fiddler2.com/Fiddler/help/hookup.asp

node.js Different libraries offer different approaches… var http = require('http'); var options = { host: '127.0.0.1', port: 8888, path: 'https://bayden.com/echo.aspx', headers: { Host: "bayden.com“ }, method: 'POST' }; var req = http.request(options, function(res) { console.log('STATUS: ' + res.statusCode + ‘ HEADERS: ' + JSON.stringify(res.headers)); res.setEncoding('utf8'); res.on('data', function (chunk) { console.log('BODY: ' + chunk); }); }); req.write(‘Post Data\n'); req.end(); http://www.fiddler2.com/Fiddler/help/hookup.asp

Protocols

HTTPS Traffic Decryption For security reasons, proxies cannot normally “see” HTTPS requests. To enable traffic decryption, Fiddler performs a “man-in-the-middle” attack. Decrypting CONNECT tunnel to www.fiddler2.com GET /fiddler2/ GET /Fiddler2/Fiddler.css http://fiddler2.com/fiddler/help/httpsdecryption.asp Export to Desktop for Firefox Added "fiddler.network.https.NoDecryptionHosts" list and UI. Cleanup certificate store GET /Fiddler/images/FiddlerLogo.png

HTML5 WebSockets WebSockets enable bi-directional socket communications over a connection established using HTTP or HTTPS. http://websocketstest.com/

FTP Fiddler supports FTP traffic via a built-in FTP gateway. FTP proxy is off-by-default. SPDY / HTTP2 Fiddler recognizes and tags SPDY connections if HTTPS-decryption is disabled.

SPDY / HTTP2 Fiddler cannot support SPDY until .NET’s SslStream supports ALPN. Please vote for my bug on CONNECT: https://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=812003 Also, please vote for this other SslStream bug: https://connect.microsoft.com/VisualStudio/feedback/details/811998/system-net-security-sslstream-calls-localcertificateselection-callback-unconditionally-even-if-server-never-sends-certificaterequest-tls-message

Protocol Violations prefs set fiddler.lint.HTTP True

Store & Load Traffic

Output Formats Fiddler Session Archive Copy to the clipboard Visual Studio .WebTest Store as a plaintext file HTML5 AppCache Manifest Extract binary response bodies WCAT Load Test Archive to a database cURL Script HTTP Archive Format (HAR) Meddler Script

Or write your own… Fiddler’s Import/Export architecture http://fiddler2.com/documentation/Extend-Fiddler/ImporterExporterInterfaces

The SAZ file format Session Archive Zip files contain: Request and response bytes Timing and other metadata WebSocket messages HTML index file For security, SAZ files may be encrypted using AES http://fiddler.wikidot.com/saz-files

FiddlerCap – Simple captures http://www.fiddlercap.com FiddlerCap allows non-technical users to easily capture SAZ archives which can be emailed to developers or experts for analysis. FiddlerCap is available from http://www.fiddlercap.com. User-interface localized to: English | Français | Español | Português | 日本語 | русский

Import Formats HTTP Archive Format (HAR) Internet Explorer F12 Developer Tools (NETXML) Telerik Test Studio LoadTest Packet Capture (WireShark, tcpdump, NetMon) …or write your own

PCAP Import

Traffic Analysis

Convert text between popular web encodings. TextWizard Convert text between popular web encodings.

Traffic Comparison Use WinDiff or the differ of your choice to compare Sessions’ requests and responses.

Use the Differ Extension to compare groups of Sessions at once. Traffic Comparison Use the Differ Extension to compare groups of Sessions at once.

Filtering Traffic Selecting Traffic Using QuickExec Using Find Ignore Images & CONNECTs Application Type Filter Process Filter Troubleshooting with Help menu Selecting Traffic Using QuickExec Using Find

Regular Expression Support

SyntaxView Reformatting

ImageView DataURL Support

ImageView Tools Integration http://fiddler2.com/blog/blog/2013/06/04/what-s-new-in-fiddler-2-4-4-5 http://fiddler2.com/blog/blog/2013/01/17/fiddler-imageview-enhancements

Metadata & GeoLocation http://fiddler2.com/blog/blog/2013/01/17/fiddler-imageview-geolocation

HTML5 Media & Font previews

X-Download-Initiator https://fiddler2.com/dl/EnableDownloadInitiator.reg cols add @request.X-Download-Initiator Run this: https://www.fiddler2.com/dl/EnableDownloadInitiator.reg FiddlerObject.UI.lvSessions.AddBoundColumn ("Reason", 50, “@request.X-Download- Initiator"); cols add @request.Accept cols add @request.X-Download-Initiator

Traffic Manipulation

Automated Rewrites Simple built-in Rules The HOSTS command

Use Fiddler Inspectors to modify requests and responses…. Breakpoint Debugging Use Fiddler Inspectors to modify requests and responses….

Flag, modify or remove headers from all requests and responses. Simple Filters Flag, modify or remove headers from all requests and responses.

Request Composer Create hand-built requests, or modify and reissue a request previously captured. Supports: Automatic authentication File Uploads Redirect chasing Sequential URL Crawling CURL commands

Replay previously-captured or generated traffic. AutoResponder Replay previously-captured or generated traffic. http://fiddler2.com/blog/blog/2012/11/15/better-repro-playback-with-fiddler Drag / drop entire folder structure FARX Bulk updates *drop Latency *delay:###ms // AutoResponder now supports *redir: and HTTP/HTTPS URL overrides // AutoResponder now supports *exit // AutoResponder now supports NOT: rules

FiddlerScript

FiddlerScript – Request Modification static function OnBeforeRequest(oS: Session) { if (oS.uriContains(".aspx")) { oS["ui-color"] = "red"; } if (m_DisableCaching) { oS.oRequest.headers.Remove("If-None-Match"); oS.oRequest.headers.Remove("If-Modified-Since"); oS.oRequest["Pragma"] = "no-cache"; }

FiddlerScript – Response Modification static function OnBeforeResponse(oS: Session) { oS.utilDecodeResponse(); oS.utilPrependToResponseBody( "Injected Content!"); }

Powerups

Understanding Extensibility Each component in red is your code… Fiddler.exe Inspector2 Script / Batch file ExecAction.exe Inspector2 IFiddlerExtension IFiddlerExtension Fiddler ScriptEngine Your FiddlerScript FiddlerCore Xceed*.dll Makecert.exe

Understanding UI Extensibility RulesOptions ToolsActions Custom menus Custom columns ContextActions QuickExec handlers Views Request Inspectors Response Inspectors Import & Export Transcoders

Type-specific Inspectors

Expert Perf Analysis with neXpert http://www.fiddler2.com/fiddler2/addons/nexpert.asp http://calendar.perfplanet.com/2012/building-faster-sites-and-services-with-fiddler/ Creates response time predictions and suggests optimizations for your site.

intruder21 Web Fuzzer By yamagata21 MIX 11 4/14/2017 http://yamagata.int21h.jp/tool/intruder21/ By yamagata21

Watcher & x5s Security Auditors MIX 11 4/14/2017 Watcher & x5s Security Auditors http://websecuritytool.codeplex.com/ http://xss.codeplex.com/ http://websecuritytool.codeplex.com/ http://xss.codeplex.com/

WCF Binary Inspector MIX 11 4/14/2017 http://code.msdn.microsoft.com/wcfbinaryinspector

Integration

ExecAction.exe Calls into OnExecAction in script or extensions Alternatively, invoke directly by sending a Windows Message: oCDS.dwData = 61181; // Magic Cookie oCDS.cbData = lstrlen(wzData * sizeof(WCHAR)); oCDS.lpData = wzData; SendMessage( FindWindow(NULL, "Fiddler - HTTP Debugging Proxy"), WM_COPYDATA, NULL, (LPARAM) &oCDS ); http://www.fiddler2.com/fiddler/dev/#Automation

Fiddler application with extensions Your application hosting FiddlerCore Fiddler.exe YourApp.exe Inspector2 ExecAction.exe Inspector2 IFiddlerExtension IFiddlerExtension Fiddler ScriptEngine Your FiddlerScript FiddlerCore FiddlerCore Xceed*.dll Makecert.exe DotNetZip CertMaker.dll

Programming with FiddlerCore // Call Startup to tell FiddlerCore to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic. Fiddler.FiddlerApplication.Startup(8877, true, true); Fiddler.FiddlerApplication.BeforeResponse += delegate(Fiddler.Session oS) { Console.WriteLine("{0}:HTTP/{1} for {2}", oS.id, oS.responseCode, oS.fullUrl); }; // Later, call Shutdown to tell FiddlerCore to stop // listening and unregister as the system proxy Fiddler.FiddlerApplication.Shutdown(); http://fiddler.wikidot.com/fiddlercore-api http://fiddler.wikidot.com/fiddlercore-demo Now available for .NET CLR 4.0, supporting HTTPS, with an arbitrary numbers of listening endpoints. Export captured traffic to the SAZ format or the database of your choice.

Fiddler Futures WebSockets UI SPDY/HTTP2 UI Enhancements You tell me!

Thank you!!! Eric Lawrence @ericlaw //fiddlerbook.com ~300 pages. Paper or DRM-free PDF. //fiddlerbook.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.