Gold Silver Bronze
Eric Follow along at
Origins
Once upon a time…
Oh no! What happened?!?
There must be a better way…
A simple idea takes shape… All problems in computer science can be solved by another level of indirection - David Wheeler
Fiddler: Evolution Ten years, ~30k lines of C#, 120+ release builds, a cross-country move to Telerik, and two new supported Platforms later…
My current side-project
New Website New Documentation New Platforms Enhanced User-Interface Roadmap
Fiddler Today Demo
UI Evolution - Web Sessions list
Fiddler on Linux Linux Mint & Ubuntu
Fiddler on Mac OSX It works, but due to UI glitches, you’re usually better off using Parallels
Traffic Monitoring
Typical Architecture
Debugging Across Devices Fiddler Mac Internet iOS Phones PC Tablets
Fiddler as a Reverse Proxy
Firefox Configuration Use the FiddlerHook add-on or configure Tools > Options > Advanced > Network > Connection Settings > Use system proxy settings
Win 8 “Store Apps” & IE11
.NET Applications YourApp.exe.config
Protocols
HTTPS Traffic Decryption Proxies cannot normally “see” HTTPS requests GET /fiddler2/ GET /Fiddler2/Fiddler.css GET /Fiddler/images/FiddlerLogo.png
HTTPS Traffic Decryption Fiddler dynamically generates interception certificates chained to a self-signed root.
HTML5 WebSockets
WebSockets enable bi- directional socket communications over a connection established using HTTP or HTTPS
FTP Fiddler supports FTP traffic via a built-in FTP gateway. FTP proxy is off-by-default. Fiddler recognizes and tags SPDY connections if HTTPS-decryption is disabled. SPDY/HTTP2.0
Protocol Violation prefs set fiddler.lint.HTTP True
Traffic Archiving
Fiddler has many output options Copy sessions to the clipboard Store as a plaintext file Extract binary response bodies Archive to a database Export a Visual Studio.WebTest file Build a HTML5 AppCache Manifest Build a WCAT load-test script
…or write your own
The SAZ file format Session Archive Zip files contain: Request and response bytes Timing and other metadata HTML index file For security, SAZ files may be encrypted
FiddlerCap – Lightweight capture tool User-interface localized to: English | Français | Español | Português | 日本語 | русский
Traffic Analysis
TextWizard Convert text between popular web encodings.
Traffic Comparison Use WinDiff or the differ of your choice to compare Sessions’ requests and responses.
Traffic Comparison Use the Differ Extension to compare sets of sessions at once.
Filtering Traffic Ignore Images & CONNECTs Application Type Filter Process Filter Troubleshooting with Help menu
Regular Expression Support
SyntaxView Reformatting
ImageView DataURL Support
ImageView Tools integration
ImageView Metadata & GeoLocation
Better Together: X-Download-Initiator cols
HTML5 Media & Font previews
In Context
Internet Explorer F12 Developer tools
F12 Developer Tools vs. Fiddler F12 Network TabFiddler Display cache and network requests Display and modify only network requests Shows downloads from current process Shows traffic from all processes Shows post-decryption HTTPS traffic Decrypts HTTPS traffic via “man-in-the-middle” approach ExcellentJavaScript Formatter Less explicit mixed-content detection Exports F12 NetworkData.xmlImports F12 NetworkData.xml
Scenario Traffic Manipulation
Automated Rewrites Simple built-in Rules The HOSTS command
Breakpoint Debugging Use Fiddler Inspectors to modify requests and responses….
Simple Filters Flag, modify or remove headers from all requests and responses.
Request Composer Create hand-built HTTP requests, or modify and reissue a request previously captured. Supports Automatic authentication File Uploads Redirect chasing Sequential URL Crawling
AutoResponder Replay previously- captured or generated traffic.
FiddlerScript
FiddlerScript – Request Modification static function OnBeforeRequest(oS: Session){ if (oS.uriContains(".aspx")) { oS["ui-color"] = "red"; } if (m_DisableCaching){ oS.oRequest.headers.Remove("If-None-Match"); oS.oRequest.headers.Remove("If-Modified-Since"); oS.oRequest["Pragma"] = "no-cache"; }
FiddlerScript – Response Modification static function OnBeforeResponse(oS: Session) { oS.utilDecodeResponse(); oS.utilPrependToResponseBody("Injected Content!"); }
Powering up with Extensions
Understanding Extensibility Each component in red is your code… Fiddler.exe Fiddler ScriptEngine Inspector2 IFiddlerExtension FiddlerCore ExecAction.exe Your FiddlerScript Xceed*.dllMakecert.exe Script / Batch file
Understanding UI Extensibility 1.RulesOptions 2.ToolsActions 3.Custom menus 4.Custom columns 5.ContextActions 6.QuickExec handlers 7.Views 8.Request Inspectors 9.Response Inspectors 10.Import & Export Transcoders
Type-specific Inspectors
Expert Perf Analysis with neXpert
intruder21 Web Fuzzer By yamagata21
Watcher & x5s Security Auditors
WCF Binary Inspector
Test Integration
ExecAction.exe Calls into OnExecAction in script or extensions Alternatively, invoke directly by sending a Windows Message: oCDS.dwData = 61181; // Magic Cookie oCDS.cbData = lstrlen(wzData * sizeof(WCHAR)); oCDS.lpData = wzData; SendMessage( FindWindow(NULL, "Fiddler - HTTP Debugging Proxy"), WM_COPYDATA, NULL, (LPARAM) &oCDS );
Fiddler.exe Fiddler ScriptEngine Inspector2 IFiddlerExtension FiddlerCore ExecAction.exe YourApp.exe FiddlerCore Fiddler application with extensions Your application hosting FiddlerCore Your FiddlerScript Xceed*.dllMakecert.exe CertMaker.dll DotNetZip
Programming with FiddlerCore // Call Startup to tell FiddlerCore to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic. Fiddler.FiddlerApplication.Startup(8877, true, true); Fiddler.FiddlerApplication.BeforeResponse += delegate(Fiddler.Session oS) { Console.WriteLine("{0}:HTTP {1} for {2}", oS.id, oS.responseCode, oS.fullUrl); }; // Call Shutdown to tell FiddlerCore to stop // listening and unregister as the system proxy Fiddler.FiddlerApplication.Shutdown();
Fiddler Futures Enhanced WebSockets Support .NET SPDY/HTTP2 You tell me!
@ericlaw #fiddler2 //fiddler2.com //fiddlerbook.com Thank you! Now Available