CODE CAMP 2013 SPONSORS

Gold

Silver Bronze

NEXT TALK: DEBUGGING WITH FIDDLER

DEBUGGING WITH

FIDDLEREric Lawrence

@ericlaw

Follow along at http://getfiddler.com

Origins

Once upon a time…

Oh no! What happened?!?

There must be a better way…

A simple idea takes shape…

ApplicationsNetwork

APIsProxy Website

All problems in computer science can be solved by another level of indirection - David Wheeler

Fiddler: Evolution

Ten years,

~30k lines of C#,

120+ release builds,

a cross-country move to Telerik,

and two new supported Platforms later…

My current side-project

New Website New Documentation New Platforms Enhanced User-Interface

Roadmap

Fiddler Today

A quick tour of Fiddler

Demo

UI Evolution - Web Sessions list

Fiddler on Linux

Linux Mint & Ubuntu

Fiddler on Mac OSX

It works, but due to UI glitches, you’re usually better off using Parallels

Browsers, applications, and devices

Traffic Monitoring

Typical Architecture

Debugging Across Devices

Fiddler

Mac

Internet

iOS

Pho

nes

PC

Tabl

ets

Fiddler as a Reverse Proxy

http://fiddler2.com/r/?reverseproxy

Firefox Configuration

Use the FiddlerHook add-on or configure Tools > Options > Advanced > Network > Connection Settings > Use system proxy settings

Win 8 “Store Apps” & IE11AppContainer blocks “loopback” network connections. For debugging purposes, you can disable that blocking.

Ctrl+Click to exempt all AppContainers

.NET Applications

YourApp.exe.config

<configuration>  <system.net>    <defaultProxy>      <proxy bypassonlocal="false" usesystemdefault=“false" proxyaddress= "http://127.0.0.1:8888" />    </defaultProxy>  </system.net></configuration>

Protocols

HTTPS Traffic DecryptionProxies cannot normally “see” HTTPS requests

Decrypting CONNECT tunnel to www.fiddler2.com

GET /fiddler2/

GET /Fiddler2/Fiddler.css

GET /Fiddler/images/FiddlerLogo.png

HTTPS Traffic DecryptionFiddler dynamically generates interception certificates chained to a self-signed root.

HTML5 WebSockets

HTML5 WebSockets

WebSockets enable bi-directional socket

communications over a connection established using HTTP or HTTPS

FTP

Fiddler supports FTP traffic via a built-in FTP gateway. FTP proxy is off-by-default.

Fiddler recognizes and tags SPDY connections if HTTPS-decryption is disabled.

SPDY/HTTP2.0

Protocol Violation

prefs set fiddler.lint.HTTP True

Traffic Archiving

Fiddler has many output options

Copy sessions to the clipboard Store as a plaintext file Extract binary response bodies Archive to a database Export a Visual Studio .WebTest file Build a HTML5 AppCache Manifest Build a WCAT load-test script

…or write your own

The SAZ file format

Session Archive Zip files contain:

Request and response bytes Timing and other metadata HTML index file

For security, SAZ files may be encrypted

FiddlerCap – Lightweight capture tool

http://www.fiddlercap.com

User-interface localized to:

English | Français | Español | Português | 日本語 | русский

Examine Requests and Responses

Traffic Analysis

TextWizardConvert text between popular web encodings.

Traffic Comparison

Use WinDiff or the differ of your choice to

compare Sessions’ requests and responses.

Traffic Comparison

Use the Differ Extension to compare sets of sessions at once.

Filtering Traffic

Ignore Images & CONNECTs Application Type Filter Process Filter Troubleshooting with Help menu

Selecting Traffic> Using QuickExec> Using Find

Regular Expression Support

SyntaxView Reformatting

ImageView DataURL Support

ImageView Tools integration

ImageView Metadata & GeoLocation

Better Together: X-Download-Initiator

https://fiddler2.com/dl/EnableDownloadInitiator.regcols add @request.X-Download-Initiator

HTML5 Media & Font previews

Fiddler vs. other tools

In Context

Internet Explorer F12 Developer tools

Internet Explorer 9 introduced the F12 Developer Tools, including a new Network tab…

F12 Developer Tools vs. Fiddler

F12 Network Tab Fiddler

Display cache and network requests

Display and modify only network requests

Shows downloads from current process

Shows traffic from all processes

Shows post-decryption HTTPS traffic

Decrypts HTTPS traffic via “man-in-the-middle” approach

Excellent JavaScript Formatter

Less explicit mixed-content detection

Exports F12 NetworkData.xml Imports F12 NetworkData.xml

Scenario

Change the bytes

Traffic Manipulation

Automated Rewrites

Simple built-in Rules The HOSTS command

Breakpoint Debugging

Use Fiddler Inspectors to modify

requests and responses….

Simple Filters

Flag, modify or remove headers from all requests and responses.

Request Composer

Create hand-built HTTP requests, or modify and reissue a request previously captured.

Supports• Automatic

authentication• File Uploads• Redirect

chasing• Sequential

URL Crawling

AutoResponder

Replay previously-captured or generated

traffic.

FiddlerScript

FiddlerScript – Request Modification

static function OnBeforeRequest(oS: Session){

if (oS.uriContains(".aspx")) { oS["ui-color"] = "red";}

if (m_DisableCaching){ oS.oRequest.headers.Remove("If-None-Match"); oS.oRequest.headers.Remove("If-Modified-Since"); oS.oRequest["Pragma"] = "no-cache"; }}

FiddlerScript – Response Modification

static function OnBeforeResponse(oS: Session) {

oS.utilDecodeResponse(); oS.utilPrependToResponseBody("Injected Content!");

}

Powering up with

//fiddler2.com/add-ons

Extensions

Understanding ExtensibilityEach component in red is your code…

Fiddler.exe

Fiddler ScriptEngine

Inspector2

Inspector2

IFiddlerExtension

IFiddlerExtension

FiddlerCore

Exe

cAct

ion.

exe

Your FiddlerScript

Xceed*.dll Makecert.exe

Scr

ipt

/ B

atch

file

Understanding UI Extensibility

1. RulesOptions2. ToolsActions3. Custom menus4. Custom columns5. ContextActions6. QuickExec handlers7. Views8. Request Inspectors9. Response Inspectors10.Import & Export Transcoders

Type-specific Inspectors

Expert Perf Analysis with neXpert

intruder21 Web Fuzzer

By yamagata21

Watcher & x5s Security Auditors

http://websecuritytool.codeplex.com/ http://xss.codeplex.com/

WCF Binary Inspector

Integrating Fiddler into your tools

Test Integration

ExecAction.exe

Calls into OnExecAction in script or extensions

Alternatively, invoke directly by sending a Windows Message:oCDS.dwData = 61181; // Magic CookieoCDS.cbData = lstrlen(wzData * sizeof(WCHAR));oCDS.lpData = wzData;

SendMessage( FindWindow(NULL, "Fiddler - HTTP Debugging

Proxy"),WM_COPYDATA,NULL,(LPARAM) &oCDS);

Fiddler.exe

Fiddler ScriptEngine

Inspector2

Inspector2

IFiddlerExtension

IFiddlerExtension

FiddlerCore

Exe

cAct

ion.

exe

YourApp.exe

FiddlerCore

Fiddler application with extensions

Your application hosting FiddlerCore

Your FiddlerScript

Xceed*.dll Makecert.exe CertMaker.dllDotNetZip

Programming with FiddlerCore

// Call Startup to tell FiddlerCore to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic.Fiddler.FiddlerApplication.Startup(8877, true, true);

Fiddler.FiddlerApplication.BeforeResponse += delegate(Fiddler.Session oS) { Console.WriteLine("{0}:HTTP {1} for {2}", oS.id, oS.responseCode, oS.fullUrl); }; // Call Shutdown to tell FiddlerCore to stop// listening and unregister as the system proxyFiddler.FiddlerApplication.Shutdown();

Fiddler Futures

Enhanced WebSockets Support .NET 4.5.1 SPDY/HTTP2 You tell me!

@ericlaw #fiddler2//fiddler2.com//fiddlerbook.com

Thank you!

~300 pages. Paper or DRM-free PDF.

Now Available