Debugging with Fiddler Eric Lawrence ericlaw Lets talk

Debugging with Fiddler Eric Lawrence @ericlaw

Let’s talk about you…

How did I end up here?

Once upon a time…

Oh no! What happened?

There must be a better way…

A simple idea takes shape… All problems in computer science can be solved by another level of indirection. - David Wheeler

Only two problems • Don’t know HTTP • Don’t know C#

Fiddler: Evolution Eleven years, ~35 k lines of C#, 160+ release builds, one full-length paperback, a cross-country move to Telerik, and two new supported platforms later…

ü ü Ø Ø New Website New Documentation New Platforms Enhanced User-Interface

My current side-project

Fiddler…

UI Evolution – The Web Sessions List

Fiddler on Linux (Mint/Ubuntu)

Fiddler on Mac OSX • It works, but due to UI glitches, you’re usually better off using Virtual. Box / Parallels / Fusion

Traffic Monitoring

Typical Architecture

PC Phon es Tablet s i. OS Mac Debug Across Devices Fiddler Windows/Linux Intern et

Fiddler as a Reverse Proxy http: //fiddler 2. com/r/? reverseproxy

& IE 11

. NET Applications Your. App. exe. config or machine. config <configuration> <system. net> <default. Proxy> <proxy bypassonlocal="false" usesystemdefault=“false" proxyaddress= "http: //127. 0. 0. 1: 8888" /> </default. Proxy> </system. net> </configuration>

node. js Different libraries offer different approaches… var http = require('http'); var options = { host: '127. 0. 0. 1', port: 8888, path: 'https: //bayden. com/echo. aspx', headers: { Host: "bayden. com“ }, method: 'POST' }; var req = http. request(options, function(res) { console. log('STATUS: ' + res. status. Code + ‘ HEADERS: ' + JSON. stringify(res. headers)); res. set. Encoding('utf 8'); res. on('data', function (chunk) { console. log('BODY: ' + chunk); }); req. write(‘Post Datan'); req. end();

Protocols

Decryption For security reasons, proxies cannot normally “see” HTTPS requests. To enable traffic decryption, Fiddler performs a “man-in-the-middle” attack. Decrypting CONNECT tunnel to GET www. fiddler 2. com /fiddler 2/ GET /Fiddler 2/Fiddler. css GET /Fiddler/images/Fiddler. Logo. png

HTML 5 Web. Sockets enable bi-directional socket communications over a connection established using HTTP or HTTPS.

FTP Fiddler supports FTP traffic via a built-in FTP gateway. FTP proxy is off-by-default. SPDY / HTTP 2 Fiddler recognizes and tags SPDY connections if HTTPS-decryption is disabled.

SPDY / HTTP 2 Fiddler cannot support SPDY until. NET’s Ssl. Stream supports ALPN. Please vote for my bug on CONNECT: https: //connect. microsoft. com/Visual. Studio/f eedback/View. Feedback. aspx? Feedback. ID=81 2003 Also, please vote for this other Ssl. Stream bug:

Protocol Violations prefs set fiddler. lint. HTTP True

Store & Load Traffic

Output Formats • Fiddler Session Archive • Visual Studio. Web. Test • HTML 5 App. Cache Manifest • WCAT Load Test • c. URL Script • HTTP Archive Format (HAR) • Meddler Script • Copy to the clipboard • Store as a plaintext file • Extract binary response bodies • Archive to a database

Or write your own…

The SAZ file format Session Archive Zip files contain: • Request and response bytes • Timing and other metadata • Web. Socket messages • HTML index file For security, SAZ files may be encrypted using AES

Fiddler. Cap – Simple captures http: //www. fiddlercap. com User-interface localized to: English | Français | Español | Português | 日本語 | русский

Import Formats • • HTTP Archive Format (HAR) Internet Explorer F 12 Developer Tools (NETXML) Telerik Test Studio Load. Test Packet Capture (Wire. Shark, tcpdump, Net. Mon) • …or write your own

PCAP Import

Traffic Analysis

Text. Wizard Convert text between popular web encodings.

Traffic Comparison Use Win. Diff or the differ of your choice to compare Sessions’ requests and responses.

Traffic Comparison Use the Differ Extension to compare groups of Sessions at once.

Filtering Traffic • • > > Ignore Images & CONNECTs Application Type Filter Process Filter Troubleshooting with Help menu

Support

Syntax. View Reformatting

Support

Integration

Metadata & Geo. Location

previews

X-Download-Initiator https: //fiddler 2. com/dl/Enable. Download. Initiator. reg cols add @request. X-Download-Initiator

Traffic Manipulation

Automated Rewrites • Simple built-in Rules • The HOSTS command

Breakpoint Debugging Use Fiddler Inspectors to modify requests and responses….

Simple Filters Flag, modify or remove headers from all requests and responses.

Request Composer Create hand-built requests, or modify and reissue a request previously captured. Supports: • • • Automatic authentication File Uploads Redirect chasing Sequential URL Crawling CURL commands

Auto. Responder Replay previouslycaptured or generated traffic.

Fiddler. Script

Modification static function On. Before. Request(o. S: Session) { if (o. S. uri. Contains(". aspx")) { o. S["ui-color"] = "red"; } if (m_Disable. Caching) { o. S. o. Request. headers. Remove("If-None-Match"); o. S. o. Request. headers. Remove("If-Modified-Since"); o. S. o. Request["Pragma"] = "no-cache"; } }

Modification static function On. Before. Response(o. S: Session) { o. S. util. Decode. Response(); o. S. util. Prepend. To. Response. Body( "Injected Content!"); }

Powerups

Understanding Extensibility Each component in red is your code… Exec. Action. e xe Script / Batch file Fiddler. exe Inspector 2 IFiddler. Extensio n Fiddler Script. Engine Your Fiddler. Script Fiddler. Core Xceed*. dll Makecert. exe

Understanding UI Extensibility 1. Rules. Options 2. Tools. Actions 3. Custom menus 4. Custom columns 5. Context. Actions 6. Quick. Exec handlers 7. Views 8. Request Inspectors 9. Response Inspectors 10. Import & Export Transcoders

Type-specific Inspectors

ne. Xpert

intruder 21 Web Fuzzer • By yamagata 21

Auditors http: //websecuritytool. codeplex. com/ http: //xss. codeplex. com/

WCF Binary Inspector

Integration

Exec. Action. exe • Calls into On. Exec. Action in script or extensions • Alternatively, invoke directly by sending a Windows Message: o. CDS. dw. Data = 61181; // Magic Cookie o. CDS. cb. Data = lstrlen(wz. Data * sizeof(WCHAR)); o. CDS. lp. Data = wz. Data; Send. Message( Find. Window(NULL, "Fiddler - HTTP Debugging Proxy"), WM_COPYDATA, NULL, (LPARAM) &o. CDS );

Exec. Action. e xe Fiddler application with extensions Fiddler. exe Inspector 2 Your application hosting Fiddler. Core Your. App. exe IFiddler. Extensio n Fiddler Script. Engine Your Fiddler. Script Fiddler. Core Xceed*. dll Makecert. exe Fiddler. Core Dot. Net. Zip Cert. Maker. dll

Programming with Fiddler. Core // Call Startup to tell Fiddler. Core to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic. Fiddler. Application. Startup(8877, true); Fiddler. Application. Before. Response += delegate(Fiddler. Session o. S) { Console. Write. Line("{0}: HTTP/{1} for {2}", o. S. id, o. S. response. Code, o. S. full. Url); }; // Later, call Shutdown to tell Fiddler. Core to stop // listening and unregister as the system proxy Fiddler. Application. Shutdown();

Fiddler Futures • • Web. Sockets UI SPDY/HTTP 2 UI Enhancements You tell me!

Thank you!!! Eric Lawrence @ericlaw //fiddlerbook. com