Advanced Web Debugging with Fiddler

Eric LawrenceProgram ManagerInternet Explorerericlaw@microsoft.com

Note: Session includes demos and code samples. For optimal viewing, please sit near the front!

TRAFFIC CAPTUREGET /data HTTP/1.1

Typical Architecture

Internet Explorer

WinINET

Office

CryptoAPI WinHTTP

Fiddler

Firefox

Upstream Proxy

example.com

Firewall

Debug Across Devices

Fiddler InternetInternet

FiddlerHook for Firefox

TRAFFIC IMPORTFiddler, FiddlerCap, and IE9

FiddlerCap

FiddlerCap is a lightweight capture tool

IE9 Developer Tools

IE9’s Developer Tools include a “Network” tab

TRAFFIC ANALYSISExamine Requests and Responses

Filtering Traffic

•Ignore Images & CONNECTs•Application Type Filter•Process Filter•Using QuickExec•Using Find

Output Options

• Copy sessions to the clipboard• Store as a plaintext file• Extract binary response bodies• Archive to a database• Export a Visual Studio .WebTest file• Write your own…• Fiddler’s native “Session Archive ZIP” (SAZ)

Format

Traffic Comparison

Use WinDiff to compare HTTP requests and

responses.

Traffic Comparison

“Viewer” mode allows examining multiple captures side-by-side.

fiddler.exe -viewer

TRAFFIC MODIFICATIONRewriting HTTP(S) Traffic

Automated Rewrites

•Simple Built-in Rules•The HOSTS extension

Breakpoint Debugging

Use Fiddler inspectors to modify requests and

responses….

Understanding Streaming

Timeline view of Buffering Mode

Timeline view of Streaming Mode

Request Builder

Create hand-built HTTP requests, or modify and

reissue a request previously captured.

Simple Filters

Flag, modify or remove headers from all requests and responses.

AutoResponder

Replay previously captured or generated traffic.

SCRIPTING AND EXTENSIBILITYPowering Up Fiddler

Understanding Extensibility

Fiddler 2

Fiddler ScriptEngineFiddler ScriptEngine

Inspector2Inspector2

Inspector2Inspector2

IFiddlerExtension IFiddlerExtension

IFiddlerExtension IFiddlerExtension

Fiddler ProxyFiddler Proxy

Your FiddlerScriptYour FiddlerScript

Xceed*.dllXceed*.dll Makecert.exeMakecert.exe

Your

Aut

omati

onYo

ur A

utom

ation

FIDDLERSCRIPTLightweight extensibility using JavaScript

FiddlerScript

FiddlerScript:Request Modification

static function OnBeforeRequest(oS: Session){

if (oS.uriContains(".aspx")) { oS["ui-color"] = "red";}

if (m_DisableCaching){ oS.oRequest.headers.Remove("If-None-Match"); oS.oRequest.headers.Remove("If-Modified-Since"); oS.oRequest["Pragma"] = "no-cache"; }}

FiddlerScript:Response Modification

static function OnBeforeResponse(oS: Session) {

oS.utilDecodeResponse(); oS.utilPrependToResponseBody("Injected Content!");

}

EXTENSIONSPowerful extensibility using any .NET Language

neXpert

Watcher

http://websecuritytool.codeplex.com/

Automated (passive) security analysis

TEST INTEGRATIONIntegrating Fiddler into your tools

ExecAction

The ExecAction.exe command line utility calls into the OnExecAction function in script and Fiddler extensions.

FiddlerCore

Fiddler 2

Fiddler ScriptEngineFiddler ScriptEngine

Inspector2Inspector2

Inspector2Inspector2

IFiddlerExtension IFiddlerExtension

IFiddlerExtension IFiddlerExtension

FiddlerCoreFiddlerCore

YourApp.exeYourApp.exe

FiddlerCoreFiddlerCore

Fiddler application with extensions Your application hosting FiddlerCore

Your FiddlerScriptYour FiddlerScript

Xceed*.dllXceed*.dll Makecert.exeMakecert.exe Makecert.exeMakecert.exe

Programming with FiddlerCore

// Call Startup to tell FiddlerCore to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic.Fiddler.FiddlerApplication.Startup(8877, true, true);

Fiddler.FiddlerApplication.BeforeResponse += delegate(Fiddler.Session oS) { Console.WriteLine("{0}:HTTP {1} for {2}", oS.id, oS.responseCode, oS.fullUrl); }; // Call Shutdown to tell FiddlerCore to stop// listening and unregister as the system proxyFiddler.FiddlerApplication.Shutdown();

Call To Action

• Try the Watcher & neXpert extensions• Use FiddlerCap to collect traffic from the field• Check out import from the IE9 Developer Tools

Questions and Resources

ResourcesoMeet the IE Team in the MIX “Commons”o http://www.fiddler2.com/mix/o ericlaw@microsoft.com

Please fill out an evaluation form for this session (FT-50).

Thank you!

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Internet Explorer, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.