Presentation is loading. Please wait.

Presentation is loading. Please wait.

Debugging with Fiddler Eric Let’s talk about you…

Similar presentations


Presentation on theme: "Debugging with Fiddler Eric Let’s talk about you…"— Presentation transcript:

1 Debugging with Fiddler Eric Lawrence @ericlaw

2 Let’s talk about you…

3 How did I end up here?

4

5 Once upon a time…

6 Oh no! What happened?

7 There must be a better way…

8 A simple idea takes shape… All problems in computer science can be solved by another level of indirection. - David Wheeler

9 Only two problems Don’t know HTTP Don’t know C#

10 Fiddler: Evolution Eleven years, ~35k lines of C#, 160+ release builds, one full-length paperback, a cross-country move to Telerik, and two new supported platforms later…

11 New Website New Documentation  New Platforms  Enhanced User-Interface

12 My current side-project

13 A quick tour around Fiddler…

14 UI Evolution – The Web Sessions List

15 Fiddler on Linux (Mint/Ubuntu)

16 Fiddler on Mac OSX It works, but due to UI glitches, you’re usually better off using VirtualBox / Parallels / Fusion

17 Traffic Monitoring

18 Typical Architecture

19 Debug Across Devices Fiddler Windows/Linux Mac Interne t iOS Phone s PC Tablet s

20 Fiddler as a Reverse Proxy http://fiddler2.com/r/?reverseproxy

21 Win8/8.1 “Immersive” Apps & IE11

22 .NET Applications YourApp.exe.config or machine.config

23 node.js var http = require('http'); var options = { host: '127.0.0.1', port: 8888, path: 'https://bayden.com/echo.aspx', headers: { Host: "bayden.com“ }, method: 'POST' }; var req = http.request(options, function(res) { console.log('STATUS: ' + res.statusCode + ‘ HEADERS: ' + JSON.stringify(res.headers)); res.setEncoding('utf8'); res.on('data', function (chunk) { console.log('BODY: ' + chunk); }); }); req.write(‘Post Data\n'); req.end(); Different libraries offer different approaches…

24 Protocols

25 For security reasons, proxies cannot normally “see” HTTPS requests. To enable traffic decryption, Fiddler performs a “man-in-the-middle” attack. HTTPS Traffic Decryption Decrypting CONNECT tunnel to www.fiddler2.com GET /fiddler2/ GET /Fiddler2/Fiddler.css GET /Fiddler/images/FiddlerLogo.png

26 HTML5 WebSockets WebSockets enable bi-directional socket communications over a connection established using HTTP or HTTPS.

27 FTP Fiddler supports FTP traffic via a built-in FTP gateway. FTP proxy is off-by-default. Fiddler recognizes and tags SPDY connections if HTTPS-decryption is disabled. SPDY / HTTP2

28 Fiddler cannot support SPDY until.NET’s SslStream supports ALPN. Please vote for my bug on CONNECT: https://connect.microsoft.com/VisualStudio/feedb ack/ViewFeedback.aspx?FeedbackID=812003 Also, please vote for this other SslStream bug: https://connect.microsoft.com/VisualStudio/feedback/details/811998/system-net- security-sslstream-calls-localcertificateselection-callback-unconditionally-even-if- server-never-sends-certificaterequest-tls-message https://connect.microsoft.com/VisualStudio/feedback/details/811998/system-net- security-sslstream-calls-localcertificateselection-callback-unconditionally-even-if- server-never-sends-certificaterequest-tls-message SPDY / HTTP2

29 Protocol Violations prefs set fiddler.lint.HTTP True

30 Store & Load Traffic

31 Output Formats Fiddler Session Archive Visual Studio.WebTest HTML5 AppCache Manifest WCAT Load Test cURL Script HTTP Archive Format (HAR) Meddler Script Copy to the clipboard Store as a plaintext file Extract binary response bodies Archive to a database

32 Or write your own…

33 Session Archive Zip files contain: Request and response bytes Timing and other metadata WebSocket messages HTML index file For security, SAZ files may be encrypted using AES The SAZ file format

34 http://www.fiddlercap.com FiddlerCap – Simple captures User-interface localized to: English | Français | Español | Português | 日本語 | русский

35 Import Formats HTTP Archive Format (HAR) Internet Explorer F12 Developer Tools (NETXML) Telerik Test Studio LoadTest Packet Capture (WireShark, tcpdump, NetMon) …or write your own

36 PCAP Import

37 Traffic Analysis

38 TextWizard Convert text between popular web encodings.

39 Traffic Comparison Use WinDiff or the differ of your choice to compare Sessions’ requests and responses.

40 Traffic Comparison Use the Differ Extension to compare groups of Sessions at once.

41 Filtering Traffic Ignore Images & CONNECTs Application Type Filter Process Filter Troubleshooting with Help menu

42 Regular Expression Support

43 SyntaxView Reformatting

44 ImageView DataURL Support

45 ImageView Tools Integration

46 Metadata & GeoLocation

47 HTML5 Media & Font previews

48 X-Download-Initiator https://fiddler2.com/dl/EnableDownloadInitiator.reg cols add @request.X-Download-Initiator

49 Traffic Manipulation

50 Automated Rewrites Simple built-in Rules The HOSTS command

51 Breakpoint Debugging Use Fiddler Inspectors to modify requests and responses….

52 Simple Filters Flag, modify or remove headers from all requests and responses.

53 Request Composer Create hand-built requests, or modify and reissue a request previously captured. Supports: Automatic authentication File Uploads Redirect chasing Sequential URL Crawling CURL commands

54 AutoResponder Replay previously- captured or generated traffic.

55 FiddlerScript

56 FiddlerScript – Request Modification static function OnBeforeRequest(oS: Session) { if (oS.uriContains(".aspx")) { oS["ui-color"] = "red"; } if (m_DisableCaching) { oS.oRequest.headers.Remove("If-None-Match"); oS.oRequest.headers.Remove("If-Modified-Since"); oS.oRequest["Pragma"] = "no-cache"; }

57 FiddlerScript – Response Modification static function OnBeforeResponse(oS: Session) { oS.utilDecodeResponse(); oS.utilPrependToResponseBody( "Injected Content!"); }

58 Powerups

59 Understanding Extensibility Each component in red is your code… Fiddler.exe Fiddler ScriptEngine Inspector2 IFiddlerExtension FiddlerCore ExecAction.ex e Your FiddlerScript Xceed*.dll Makecert.exe Script / Batch file

60 Understanding UI Extensibility 1.RulesOptions 2.ToolsActions 3.Custom menus 4.Custom columns 5.ContextActions 6.QuickExec handlers 7.Views 8.Request Inspectors 9.Response Inspectors 10.Import & Export Transcoders

61 Type-specific Inspectors

62 Expert Perf Analysis with neXpert

63 intruder21 Web Fuzzer By yamagata21

64 Watcher & x5s Security Auditors http://websecuritytool.codeplex.com/ http://xss.codeplex.com/

65 WCF Binary Inspector

66 Integration

67 ExecAction.exe Calls into OnExecAction in script or extensions Alternatively, invoke directly by sending a Windows Message: oCDS.dwData = 61181; // Magic Cookie oCDS.cbData = lstrlen(wzData * sizeof(WCHAR)); oCDS.lpData = wzData; SendMessage( FindWindow(NULL, "Fiddler - HTTP Debugging Proxy"), WM_COPYDATA, NULL, (LPARAM) &oCDS );

68 Fiddler.exe Fiddler ScriptEngine Inspector2 IFiddlerExtension FiddlerCore ExecAction.ex e YourApp.exe FiddlerCore Fiddler application with extensions Your application hosting FiddlerCore Your FiddlerScript Xceed*.dll Makecert.exe CertMaker.dll DotNetZip

69 Programming with FiddlerCore // Call Startup to tell FiddlerCore to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic. Fiddler.FiddlerApplication.Startup(8877, true, true); Fiddler.FiddlerApplication.BeforeResponse += delegate(Fiddler.Session oS) { Console.WriteLine("{0}:HTTP/{1} for {2}", oS.id, oS.responseCode, oS.fullUrl); }; // Later, call Shutdown to tell FiddlerCore to stop // listening and unregister as the system proxy Fiddler.FiddlerApplication.Shutdown();

70 Fiddler Futures WebSockets UI SPDY/HTTP2 UI Enhancements You tell me!

71 //fiddlerbook.com Thank you!!! Eric Lawrence @ericlaw


Download ppt "Debugging with Fiddler Eric Let’s talk about you…"

Similar presentations


Ads by Google