Advanced Web Debugging with Fiddler Eric Lawrence Program Manager Internet Explorer Note: Session includes demos and code samples. For optimal viewing, please sit near the front!

TRAFFIC CAPTURE GET /data HTTP/1.1

Typical Architecture

Debug Across Devices Fiddler Mac Internet SmartPhone Linux PC

FiddlerHook for Firefox

TRAFFIC IMPORT Fiddler, FiddlerCap, and IE9

FiddlerCap FiddlerCap is a lightweight capture tool

IE9 Developer Tools IE9’s Developer Tools include a “Network” tab

TRAFFIC ANALYSIS Examine Requests and Responses

Filtering Traffic Ignore Images & CONNECTs Application Type Filter Process Filter Using QuickExec Using Find

Output Options Copy sessions to the clipboard Store as a plaintext file Extract binary response bodies Archive to a database Export a Visual Studio.WebTest file Write your own… Fiddler’s native “Session Archive ZIP” (SAZ) Format

Traffic Comparison Use WinDiff to compare HTTP requests and responses.

Traffic Comparison “Viewer” mode allows examining multiple captures side-by-side. fiddler.exe -viewer

TRAFFIC MODIFICATION Rewriting HTTP(S) Traffic

Automated Rewrites Simple Built-in Rules The HOSTS extension

Breakpoint Debugging Use Fiddler inspectors to modify requests and responses….

Understanding Streaming Timeline view of Buffering Mode Timeline view of Streaming Mode

Request Builder Create hand-built HTTP requests, or modify and reissue a request previously captured.

Simple Filters Flag, modify or remove headers from all requests and responses.

AutoResponder Replay previously captured or generated traffic.

SCRIPTING AND EXTENSIBILITY Powering Up Fiddler

Understanding Extensibility Fiddler 2 Fiddler ScriptEngine Inspector2 IFiddlerExtension Fiddler Proxy ExecAction.exe Your FiddlerScript Xceed*.dll Makecert.exe Your Automation

FIDDLERSCRIPT Lightweight extensibility using JavaScript

FiddlerScript

FiddlerScript: Request Modification static function OnBeforeRequest(oS: Session){ if (oS.uriContains(".aspx")) { oS["ui-color"] = "red"; } if (m_DisableCaching){ oS.oRequest.headers.Remove("If-None-Match"); oS.oRequest.headers.Remove("If-Modified- Since"); oS.oRequest["Pragma"] = "no-cache"; }

FiddlerScript: Response Modification static function OnBeforeResponse(oS: Session) { oS.utilDecodeResponse(); oS.utilPrependToResponseBody("Injected Content!"); }

EXTENSIONS Powerful extensibility using any.NET Language

neXpert

Watcher Automated (passive) security analysis

TEST INTEGRATION Integrating Fiddler into your tools

ExecAction The ExecAction.exe command line utility calls into the OnExecAction function in script and Fiddler extensions.

FiddlerCore Fiddler 2 Fiddler ScriptEngine Inspector2 IFiddlerExtension FiddlerCore ExecAction.exe YourApp.exe FiddlerCore Fiddler application with extensionsYour application hosting FiddlerCore Your FiddlerScript Xceed*.dll Makecert.exe

Programming with FiddlerCore // Call Startup to tell FiddlerCore to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic. Fiddler.FiddlerApplication.Startup(8877, true, true); Fiddler.FiddlerApplication.BeforeResponse += delegate(Fiddler.Session oS) { Console.WriteLine ("{0}:HTTP {1} for {2}", oS.id, oS.responseCode, oS.fullUrl); }; // Call Shutdown to tell FiddlerCore to stop // listening and unregister as the system proxy Fiddler.FiddlerApplication.Shutdown();

Call To Action Try the Watcher & neXpert extensions Use FiddlerCap to collect traffic from the field Check out import from the IE9 Developer Tools

Questions and Resources Resources o Meet the IE Team in the MIX “Commons” o o Please fill out an evaluation form for this session ( FT-50 ). Thank you!