NEXT TALK DEBUGGING WITH FIDDLER CODE CAMP 2013

NEXT TALK: DEBUGGING WITH FIDDLER CODE CAMP 2013 SPONSORS Gold Silver Bronze

DEBUGGING WITH FIDDLER Eric Lawrence @ericlaw Follow along at http: //getfiddler. com

Origins

Once upon a time…

Oh no! What happened? !?

There must be a better way…

A simple idea takes shape… All problems in computer science can be solved by another level of indirection - David Wheeler

Fiddler: Evolution Ten years, ~30 k lines of C#, 120+ release builds, a cross-country move to Telerik, and two new supported Platforms later…

My current side-project

Roadmap ü ü Ø Ø New Website New Documentation New Platforms Enhanced User-Interface

Fiddler Today Demo

UI Evolution - Web Sessions list

Fiddler on Linux � Linux Mint & Ubuntu

Fiddler on Mac OSX � It works, but due to UI glitches, you’re usually better off using Parallels

Traffic Monitoring

Typical Architecture

Phones Tablets i. OS Mac PC Debugging Across Devices Fiddler Internet

Fiddler as a Reverse Proxy http: //fiddler 2. com/r/? reverseproxy

Firefox Configuration Use the Fiddler. Hook add-on or configure Tools > Options > Advanced > Network > Connection Settings > Use system proxy settings

Win 8 “Store Apps” & IE 11

. NET Applications Your. App. exe. config <configuration> <system. net> <default. Proxy> <proxy bypassonlocal="false" usesystemdefault=“false" proxyaddress= "http: //127. 0. 0. 1: 8888" /> </default. Proxy> </system. net> </configuration>

Protocols

HTTPS Traffic Decryption Proxies cannot normally “see” HTTPS requests GET /fiddler 2/ GET /Fiddler 2/Fiddler. css GET /Fiddler/images/Fiddler. Logo. png

HTTPS Traffic Decryption Fiddler dynamically generates interception certificates chained to a self-signed root.

HTML 5 Web. Sockets

HTML 5 Web. Sockets enable bidirectional socket communications over a connection established using HTTP or HTTPS

FTP Fiddler supports FTP traffic via a built-in FTP gateway. FTP proxy is off-by-default. SPDY/HTTP 2. 0 Fiddler recognizes and tags SPDY connections if HTTPS-decryption is disabled.

Protocol Violation prefs set fiddler. lint. HTTP True

Traffic Archiving

Fiddler has many output options � Copy sessions to the clipboard � Store as a plaintext file � Extract binary response bodies � Archive to a database � Export a Visual Studio. Web. Test file � Build a HTML 5 App. Cache Manifest � Build a WCAT load-test script

…or write your own

The SAZ file format Session Archive Zip files contain: � Request and response bytes � Timing and other metadata � HTML index file For security, SAZ files may be encrypted

Fiddler. Cap – Lightweight capture tool http: //www. fiddlercap. com User-interface localized to: English | Français | Español | Português | 日本語 | русский

Traffic Analysis

Text. Wizard Convert text between popular web encodings.

Traffic Comparison Use Win. Diff or the differ of your choice to compare Sessions’ requests and responses.

Traffic Comparison Use the Differ Extension to compare sets of sessions at once.

Filtering Traffic � Ignore Images & CONNECTs � Application Type Filter � Process Filter � Troubleshooting with Help menu > >

Regular Expression Support

Syntax. View Reformatting

Image. View Data. URL Support

Image. View Tools integration

Image. View Metadata & Geo. Location

Better Together: X-Download. Initiator https: //fiddler 2. com/dl/Enable. Download. Initiator. reg cols add @request. X-Download-Initiator

HTML 5 Media & Font previews

In Context

Internet Explorer F 12 Developer tools

F 12 Developer Tools vs. Fiddler F 12 Network Tab Display cache and network requests Fiddler Display and modify only network requests Shows downloads from current Shows traffic from all processes Shows post-decryption HTTPS Decrypts HTTPS traffic via traffic “man-in-the-middle” approach Excellent Java. Script Formatter Less explicit mixed-content detection Exports F 12 Network. Data. xml Imports F 12 Network. Data. xml

Scenario Traffic Manipulation

Automated Rewrites Simple built-in Rules � The HOSTS command �

Breakpoint Debugging Use Fiddler Inspectors to modify requests and responses….

Simple Filters Flag, modify or remove headers from all requests and responses.

Request Composer Create hand-built HTTP requests, or modify and reissue a request previously captured. Supports • Automatic authentication • File Uploads • Redirect chasing • Sequential URL Crawling

Auto. Responder Replay previouslycaptured or generated traffic.

Fiddler. Script

Fiddler. Script – Request Modification static function On. Before. Request(o. S: Session){ if (o. S. uri. Contains(". aspx")) { o. S["ui-color"] = "red"; } if (m_Disable. Caching){ o. S. o. Request. headers. Remove("If-None-Match"); o. S. o. Request. headers. Remove("If-Modified-Since"); o. S. o. Request["Pragma"] = "no-cache"; } }

Fiddler. Script – Response Modification static function On. Before. Response(o. S: Session) { o. S. util. Decode. Response(); o. S. util. Prepend. To. Response. Body("Injected Content!"); }

Powering up with Extensions

Understanding Extensibility Each component in red is your code… Fiddler. exe Exec. Action. exe Script / Batch file Inspector 2 IFiddler. Extension Fiddler Script. Engine Your Fiddler. Script Fiddler. Core Xceed*. dll Makecert. exe

Understanding UI Extensibility 1. Rules. Options 2. Tools. Actions 3. Custom menus 4. Custom columns 5. Context. Actions 6. Quick. Exec handlers 7. Views 8. Request Inspectors 9. Response Inspectors 10. Import & Export Transcoders

Type-specific Inspectors

Expert Perf Analysis with ne. Xpert

intruder 21 Web Fuzzer � By yamagata 21

Watcher & x 5 s Security Auditors http: //websecuritytool. codeplex. com/ http: //xss. codeplex. com/

WCF Binary Inspector

Test Integration

Exec. Action. exe � Calls into On. Exec. Action in script or extensions � Alternatively, invoke directly by sending a Windows Message: o. CDS. dw. Data = 61181; // Magic Cookie o. CDS. cb. Data = lstrlen(wz. Data * sizeof(WCHAR)); o. CDS. lp. Data = wz. Data; Send. Message( Find. Window(NULL, "Fiddler - HTTP Debugging Proxy"), WM_COPYDATA, NULL, (LPARAM) &o. CDS );

Fiddler application with extensions Fiddler. exe Your application hosting Fiddler. Core Your. App. exe Exec. Action. exe Inspector 2 IFiddler. Extension Fiddler Script. Engine Your Fiddler. Script Fiddler. Core Xceed*. dll Makecert. exe Fiddler. Core Dot. Net. Zip Cert. Maker. dll

Programming with Fiddler. Core // Call Startup to tell Fiddler. Core to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic. Fiddler. Application. Startup(8877, true); Fiddler. Application. Before. Response += delegate(Fiddler. Session o. S) { Console. Write. Line("{0}: HTTP {1} for {2}", o. S. id, o. S. response. Code, o. S. full. Url); }; // Call Shutdown to tell Fiddler. Core to stop // listening and unregister as the system proxy Fiddler. Application. Shutdown();

Fiddler Futures � � Enhanced Web. Sockets Support. NET 4. 5. 1 SPDY/HTTP 2 You tell me!

Thank you! @ericlaw #fiddler 2 //fiddler 2. com //fiddlerbook. com Now Available