Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | randell-bradley |
View: | 218 times |
Download: | 0 times |
CODE CAMP 2013 SPONSORS
Gold
Silver Bronze
NEXT TALK: DEBUGGING WITH FIDDLER
DEBUGGING WITH
FIDDLEREric Lawrence
@ericlaw
Follow along at http://getfiddler.com
Origins
Once upon a time…
Oh no! What happened?!?
There must be a better way…
A simple idea takes shape…
ApplicationsNetwork
APIsProxy Website
All problems in computer science can be solved by another level of indirection - David Wheeler
Fiddler: Evolution
Ten years,
~30k lines of C#,
120+ release builds,
a cross-country move to Telerik,
and two new supported Platforms later…
My current side-project
New Website New Documentation New Platforms Enhanced User-Interface
Roadmap
Fiddler Today
A quick tour of Fiddler
Demo
UI Evolution - Web Sessions list
Fiddler on Linux
Linux Mint & Ubuntu
Fiddler on Mac OSX
It works, but due to UI glitches, you’re usually better off using Parallels
Browsers, applications, and devices
Traffic Monitoring
Typical Architecture
Debugging Across Devices
Fiddler
Mac
Internet
iOS
Pho
nes
PC
Tabl
ets
Fiddler as a Reverse Proxy
http://fiddler2.com/r/?reverseproxy
Firefox Configuration
Use the FiddlerHook add-on or configure Tools > Options > Advanced > Network > Connection Settings > Use system proxy settings
Win 8 “Store Apps” & IE11AppContainer blocks “loopback” network connections. For debugging purposes, you can disable that blocking.
Ctrl+Click to exempt all AppContainers
.NET Applications
YourApp.exe.config
<configuration> <system.net> <defaultProxy> <proxy bypassonlocal="false" usesystemdefault=“false" proxyaddress= "http://127.0.0.1:8888" /> </defaultProxy> </system.net></configuration>
Protocols
HTTPS Traffic DecryptionProxies cannot normally “see” HTTPS requests
Decrypting CONNECT tunnel to www.fiddler2.com
GET /fiddler2/
GET /Fiddler2/Fiddler.css
GET /Fiddler/images/FiddlerLogo.png
HTTPS Traffic DecryptionFiddler dynamically generates interception certificates chained to a self-signed root.
HTML5 WebSockets
HTML5 WebSockets
WebSockets enable bi-directional socket
communications over a connection established using HTTP or HTTPS
FTP
Fiddler supports FTP traffic via a built-in FTP gateway. FTP proxy is off-by-default.
Fiddler recognizes and tags SPDY connections if HTTPS-decryption is disabled.
SPDY/HTTP2.0
Protocol Violation
prefs set fiddler.lint.HTTP True
Traffic Archiving
Fiddler has many output options
Copy sessions to the clipboard Store as a plaintext file Extract binary response bodies Archive to a database Export a Visual Studio .WebTest file Build a HTML5 AppCache Manifest Build a WCAT load-test script
…or write your own
The SAZ file format
Session Archive Zip files contain:
Request and response bytes Timing and other metadata HTML index file
For security, SAZ files may be encrypted
FiddlerCap – Lightweight capture tool
http://www.fiddlercap.com
User-interface localized to:
English | Français | Español | Português | 日本語 | русский
Examine Requests and Responses
Traffic Analysis
TextWizardConvert text between popular web encodings.
Traffic Comparison
Use WinDiff or the differ of your choice to
compare Sessions’ requests and responses.
Traffic Comparison
Use the Differ Extension to compare sets of sessions at once.
Filtering Traffic
Ignore Images & CONNECTs Application Type Filter Process Filter Troubleshooting with Help menu
Selecting Traffic> Using QuickExec> Using Find
Regular Expression Support
SyntaxView Reformatting
ImageView DataURL Support
ImageView Tools integration
ImageView Metadata & GeoLocation
Better Together: X-Download-Initiator
https://fiddler2.com/dl/EnableDownloadInitiator.regcols add @request.X-Download-Initiator
HTML5 Media & Font previews
Fiddler vs. other tools
In Context
Internet Explorer F12 Developer tools
Internet Explorer 9 introduced the F12 Developer Tools, including a new Network tab…
F12 Developer Tools vs. Fiddler
F12 Network Tab Fiddler
Display cache and network requests
Display and modify only network requests
Shows downloads from current process
Shows traffic from all processes
Shows post-decryption HTTPS traffic
Decrypts HTTPS traffic via “man-in-the-middle” approach
Excellent JavaScript Formatter
Less explicit mixed-content detection
Exports F12 NetworkData.xml Imports F12 NetworkData.xml
Scenario
Change the bytes
Traffic Manipulation
Automated Rewrites
Simple built-in Rules The HOSTS command
Breakpoint Debugging
Use Fiddler Inspectors to modify
requests and responses….
Simple Filters
Flag, modify or remove headers from all requests and responses.
Request Composer
Create hand-built HTTP requests, or modify and reissue a request previously captured.
Supports• Automatic
authentication• File Uploads• Redirect
chasing• Sequential
URL Crawling
AutoResponder
Replay previously-captured or generated
traffic.
FiddlerScript
FiddlerScript – Request Modification
static function OnBeforeRequest(oS: Session){
if (oS.uriContains(".aspx")) { oS["ui-color"] = "red";}
if (m_DisableCaching){ oS.oRequest.headers.Remove("If-None-Match"); oS.oRequest.headers.Remove("If-Modified-Since"); oS.oRequest["Pragma"] = "no-cache"; }}
FiddlerScript – Response Modification
static function OnBeforeResponse(oS: Session) {
oS.utilDecodeResponse(); oS.utilPrependToResponseBody("Injected Content!");
}
Powering up with
//fiddler2.com/add-ons
Extensions
Understanding ExtensibilityEach component in red is your code…
Fiddler.exe
Fiddler ScriptEngine
Inspector2
Inspector2
IFiddlerExtension
IFiddlerExtension
FiddlerCore
Exe
cAct
ion.
exe
Your FiddlerScript
Xceed*.dll Makecert.exe
Scr
ipt
/ B
atch
file
Understanding UI Extensibility
1. RulesOptions2. ToolsActions3. Custom menus4. Custom columns5. ContextActions6. QuickExec handlers7. Views8. Request Inspectors9. Response Inspectors10.Import & Export Transcoders
Type-specific Inspectors
Expert Perf Analysis with neXpert
intruder21 Web Fuzzer
By yamagata21
Watcher & x5s Security Auditors
http://websecuritytool.codeplex.com/ http://xss.codeplex.com/
WCF Binary Inspector
Integrating Fiddler into your tools
Test Integration
ExecAction.exe
Calls into OnExecAction in script or extensions
Alternatively, invoke directly by sending a Windows Message:oCDS.dwData = 61181; // Magic CookieoCDS.cbData = lstrlen(wzData * sizeof(WCHAR));oCDS.lpData = wzData;
SendMessage( FindWindow(NULL, "Fiddler - HTTP Debugging
Proxy"),WM_COPYDATA,NULL,(LPARAM) &oCDS);
Fiddler.exe
Fiddler ScriptEngine
Inspector2
Inspector2
IFiddlerExtension
IFiddlerExtension
FiddlerCore
Exe
cAct
ion.
exe
YourApp.exe
FiddlerCore
Fiddler application with extensions
Your application hosting FiddlerCore
Your FiddlerScript
Xceed*.dll Makecert.exe CertMaker.dllDotNetZip
Programming with FiddlerCore
// Call Startup to tell FiddlerCore to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic.Fiddler.FiddlerApplication.Startup(8877, true, true);
Fiddler.FiddlerApplication.BeforeResponse += delegate(Fiddler.Session oS) { Console.WriteLine("{0}:HTTP {1} for {2}", oS.id, oS.responseCode, oS.fullUrl); }; // Call Shutdown to tell FiddlerCore to stop// listening and unregister as the system proxyFiddler.FiddlerApplication.Shutdown();
Fiddler Futures
Enhanced WebSockets Support .NET 4.5.1 SPDY/HTTP2 You tell me!
@ericlaw #fiddler2//fiddler2.com//fiddlerbook.com
Thank you!
~300 pages. Paper or DRM-free PDF.
Now Available