NEXT TALK DEBUGGING WITH FIDDLER CODE CAMP 2013
NEXT TALK: DEBUGGING WITH FIDDLER CODE CAMP 2013 SPONSORS Gold Silver Bronze
DEBUGGING WITH FIDDLER Eric Lawrence @ericlaw Follow along at http: //getfiddler. com
Origins
Once upon a time…
Oh no! What happened? !?
There must be a better way…
A simple idea takes shape… All problems in computer science can be solved by another level of indirection - David Wheeler
Fiddler: Evolution Ten years, ~30 k lines of C#, 120+ release builds, a cross-country move to Telerik, and two new supported Platforms later…
My current side-project
Roadmap ü ü Ø Ø New Website New Documentation New Platforms Enhanced User-Interface
Fiddler Today Demo
UI Evolution - Web Sessions list
Fiddler on Linux � Linux Mint & Ubuntu
Fiddler on Mac OSX � It works, but due to UI glitches, you’re usually better off using Parallels
Traffic Monitoring
Typical Architecture
Phones Tablets i. OS Mac PC Debugging Across Devices Fiddler Internet
Fiddler as a Reverse Proxy http: //fiddler 2. com/r/? reverseproxy
Firefox Configuration Use the Fiddler. Hook add-on or configure Tools > Options > Advanced > Network > Connection Settings > Use system proxy settings
Win 8 “Store Apps” & IE 11
. NET Applications Your. App. exe. config <configuration> <system. net> <default. Proxy> <proxy bypassonlocal="false" usesystemdefault=“false" proxyaddress= "http: //127. 0. 0. 1: 8888" /> </default. Proxy> </system. net> </configuration>
Protocols
HTTPS Traffic Decryption Proxies cannot normally “see” HTTPS requests GET /fiddler 2/ GET /Fiddler 2/Fiddler. css GET /Fiddler/images/Fiddler. Logo. png
HTTPS Traffic Decryption Fiddler dynamically generates interception certificates chained to a self-signed root.
HTML 5 Web. Sockets
HTML 5 Web. Sockets enable bidirectional socket communications over a connection established using HTTP or HTTPS
FTP Fiddler supports FTP traffic via a built-in FTP gateway. FTP proxy is off-by-default. SPDY/HTTP 2. 0 Fiddler recognizes and tags SPDY connections if HTTPS-decryption is disabled.
Protocol Violation prefs set fiddler. lint. HTTP True
Traffic Archiving
Fiddler has many output options � Copy sessions to the clipboard � Store as a plaintext file � Extract binary response bodies � Archive to a database � Export a Visual Studio. Web. Test file � Build a HTML 5 App. Cache Manifest � Build a WCAT load-test script
…or write your own
The SAZ file format Session Archive Zip files contain: � Request and response bytes � Timing and other metadata � HTML index file For security, SAZ files may be encrypted
Fiddler. Cap – Lightweight capture tool http: //www. fiddlercap. com User-interface localized to: English | Français | Español | Português | 日本語 | русский
Traffic Analysis
Text. Wizard Convert text between popular web encodings.
Traffic Comparison Use Win. Diff or the differ of your choice to compare Sessions’ requests and responses.
Traffic Comparison Use the Differ Extension to compare sets of sessions at once.
Filtering Traffic � Ignore Images & CONNECTs � Application Type Filter � Process Filter � Troubleshooting with Help menu > >
Regular Expression Support
Syntax. View Reformatting
Image. View Data. URL Support
Image. View Tools integration
Image. View Metadata & Geo. Location
Better Together: X-Download. Initiator https: //fiddler 2. com/dl/Enable. Download. Initiator. reg cols add @request. X-Download-Initiator
HTML 5 Media & Font previews
In Context
Internet Explorer F 12 Developer tools
F 12 Developer Tools vs. Fiddler F 12 Network Tab Display cache and network requests Fiddler Display and modify only network requests Shows downloads from current Shows traffic from all processes Shows post-decryption HTTPS Decrypts HTTPS traffic via traffic “man-in-the-middle” approach Excellent Java. Script Formatter Less explicit mixed-content detection Exports F 12 Network. Data. xml Imports F 12 Network. Data. xml
Scenario Traffic Manipulation
Automated Rewrites Simple built-in Rules � The HOSTS command �
Breakpoint Debugging Use Fiddler Inspectors to modify requests and responses….
Simple Filters Flag, modify or remove headers from all requests and responses.
Request Composer Create hand-built HTTP requests, or modify and reissue a request previously captured. Supports • Automatic authentication • File Uploads • Redirect chasing • Sequential URL Crawling
Auto. Responder Replay previouslycaptured or generated traffic.
Fiddler. Script
Fiddler. Script – Request Modification static function On. Before. Request(o. S: Session){ if (o. S. uri. Contains(". aspx")) { o. S["ui-color"] = "red"; } if (m_Disable. Caching){ o. S. o. Request. headers. Remove("If-None-Match"); o. S. o. Request. headers. Remove("If-Modified-Since"); o. S. o. Request["Pragma"] = "no-cache"; } }
Fiddler. Script – Response Modification static function On. Before. Response(o. S: Session) { o. S. util. Decode. Response(); o. S. util. Prepend. To. Response. Body("Injected Content!"); }
Powering up with Extensions
Understanding Extensibility Each component in red is your code… Fiddler. exe Exec. Action. exe Script / Batch file Inspector 2 IFiddler. Extension Fiddler Script. Engine Your Fiddler. Script Fiddler. Core Xceed*. dll Makecert. exe
Understanding UI Extensibility 1. Rules. Options 2. Tools. Actions 3. Custom menus 4. Custom columns 5. Context. Actions 6. Quick. Exec handlers 7. Views 8. Request Inspectors 9. Response Inspectors 10. Import & Export Transcoders
Type-specific Inspectors
Expert Perf Analysis with ne. Xpert
intruder 21 Web Fuzzer � By yamagata 21
Watcher & x 5 s Security Auditors http: //websecuritytool. codeplex. com/ http: //xss. codeplex. com/
WCF Binary Inspector
Test Integration
Exec. Action. exe � Calls into On. Exec. Action in script or extensions � Alternatively, invoke directly by sending a Windows Message: o. CDS. dw. Data = 61181; // Magic Cookie o. CDS. cb. Data = lstrlen(wz. Data * sizeof(WCHAR)); o. CDS. lp. Data = wz. Data; Send. Message( Find. Window(NULL, "Fiddler - HTTP Debugging Proxy"), WM_COPYDATA, NULL, (LPARAM) &o. CDS );
Fiddler application with extensions Fiddler. exe Your application hosting Fiddler. Core Your. App. exe Exec. Action. exe Inspector 2 IFiddler. Extension Fiddler Script. Engine Your Fiddler. Script Fiddler. Core Xceed*. dll Makecert. exe Fiddler. Core Dot. Net. Zip Cert. Maker. dll
Programming with Fiddler. Core // Call Startup to tell Fiddler. Core to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic. Fiddler. Application. Startup(8877, true); Fiddler. Application. Before. Response += delegate(Fiddler. Session o. S) { Console. Write. Line("{0}: HTTP {1} for {2}", o. S. id, o. S. response. Code, o. S. full. Url); }; // Call Shutdown to tell Fiddler. Core to stop // listening and unregister as the system proxy Fiddler. Application. Shutdown();
Fiddler Futures � � Enhanced Web. Sockets Support. NET 4. 5. 1 SPDY/HTTP 2 You tell me!
Thank you! @ericlaw #fiddler 2 //fiddler 2. com //fiddlerbook. com Now Available
- Slides: 71