I use Fiddler to inspect app traffic for extracting API (headers, body, response and..) but on Xamarin apps, Fiddler does not work because the app does not accept system proxy.
How can I do that?
You can use burp to intercept traffic on a windows machine. Here's a guide on how to achieve that: https://resources.infosecinstitute.com/topic/windows-mobile-application-penetration-testing-part-5-intercepting-httphttps-traffic-of-uwp-apps-on-windows-desktop/
Basically you route all traffic through burp and install the certificate on the machine to let burp know how to decrypt the outgoing traffic.
If it's not proxy aware, then you can use this DNS trick here:https://portswigger.net/support/using-burp-suites-invisible-proxy-settings-to-test-a-non-proxy-aware-thick-client-application
Related
Pretty much straight forward question. I've tried to look this up but the results that I've found have been very vague. I'm busy with a Windows Phone app and have been running into some problems. I've read with Fiddler on you might run into some problems, but that's beside the point right now...
What is fiddler and how do I know if it's 'on'? Plus how to I turn it off if it is?
Thanks in advance,
Fiddler is a data monitoring tool that allows you to see incoming and outgoing HTTP(s) traffic from your computer. http://fiddler2.com/
It is a desktop app, so if you haven't got it installed on your PC - then you don't need to turn it off
Fiddler is a tool that helps you monitor your HTTP(S) traffic. It's great for debugging any network issues you're having as it lets you trace where your data is going and coming in from. If you haven't installed it, then you won't have it on your machine by default.
Monitor HTTP/HTTPs traffic from any browser
Fiddler is a free web debugging proxy which logs all HTTP(s) traffic between your computer and the Internet. Use it to debug traffic from virtually any application that supports a proxy like IE, Chrome, Safari, Firefox, Opera, and more.
Inspect and debug traffic from any client
Debug traffic from PC, Mac, or Linux systems and mobile devices. Ensure the proper cookies, headers, and cache directives are transferred between the client and server. Supports any framework, including .NET, Java, Ruby, etc.
Tamper client requests and server responses
Easily manipulate and edit web sessions. All you need to do is set a breakpoint to pause the processing of the session and permit alteration of the request/response. You can also compose your own HTTP requests to run through Fiddler
Test the performance of your web sites and apps
Fiddler lets you see the “total page weight,” HTTP caching, and compression at a glance. Isolate performance bottlenecks with rules like “Flag any uncompressed responses larger than 25kb.”
Decrypt HTTPS web sessions
Use Fiddler for security testing your web applications -- decrypt HTTPS traffic, and display and modify requests using a man-in-the-middle decryption technique. Configure Fiddler to decrypt all traffic, or only specific sessions.
Extend Fiddler as much as you want
Benefit from a rich extensibility model which ranges from simple FiddlerScript to powerful Extensions which can be developed using any .NET language. See full list of ready-made add-ons.
I have succeeded in publishing a website in HTTPS through IIS using this tutorial:
http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis
Now, even though the digital certificate is not valid since it was issued by my computer, the website supposedly uses HTTPS. However, after I log-into an account, I am still able to see the form data entered using Google Chrome developer tools.
Why is this happening? Isn't HTTPS supposed to encrypt network traffic? How can I solve this problem please?
The browser is likely doing some work for you in decrypting it. Try using a tool like Fiddler (http://www.fiddler2.com/fiddler2/) to grab network traffic outside the browser environment. Fiddler also allows you to decrypt HTTPS traffic, but it's not enabled by default.
It gets encrypted by the secure sockets layer (SSL) before it enters the transport layer. What you see in f12 tool in a browser is what gets sent to the SSL layer. The traffic that gets sent over the wire is captured by tools like fiddler and wireshark.
I am trying to test some new code between my iOS app and my new server code. It would greatly simplify things if I could submit requests to my local testing server while I am debugging so I can fix things quickly on the fly.
Is this possible?
This is not possible by design - which is a good thing.
However, if you are hell bent on doing this, you can do so by setting up a proxy on the development machine that will redirect the traffic to your localhost as required.
The full details steps are described here - http://encosia.com/using-an-iphone-with-the-visual-studio-development-server/.
Summary
Get Fiddler/Install Fiddler on the development machine - http://www.fiddler2.com
Determine the fiddler port and ensure it is configured to accept connections.
Determine your ip address.
On the iphone configure the proxy with the info from steps 2/3. (Connections > Proxy > Manual).
You may need to a period(.) to the address eg, http://localhost.:4543/website to make it work.
I wanted to know what is the best way to write an agent on Win platform that will be able to monitor browser's communication.
scenario: monitor the user access to predefined url on Chrome, FireFox and IE. On each hit I send the stats to a server with some data (page title).
The ways I found so far are proxy and browser addons. Each has it's own advantages and disadvantages. The main disadvantage of the proxy way is handling of HTTPS communication. The addon disadvantage is the installation (need to install on every browser) and cross-browser support.
Is there another way? some service I can write with .net that will automatically hook on a browser when it is started?
Thanks you.
You do have only two choices - an http proxy, or to write a plugin for every browser. That plugin could just forward data via network to a central service, leaving you with the challenge of coming up with a common set of data that all browsers can provide, plus learning all the plugin models.
In my opinion, though, the only real option is an HTTP(s) proxy because otherwise you have to keep updating your plugins every time browsers change, or deal with the fact that new browsers can come along and be used.
Certainly you won't find a 'user is browsing a url in some browser' event in the OS - all it knows is that a socket connection has been opened on some local port to a remote server's port 80/443 (or whatever).
So I strongly suggest building on top of the excellent work that's behind Fiddler and use the Fiddler Core.
http://www.telerik.com/fiddler/fiddlercore
For https you have to decrypt and re-encrypt with a different certificate. The information that you need is just not available without actually unpacking the request. Fiddler achieves this by opening it's own SSL tunnel to the target server on the client's behalf, whilst acting as an SSL server to the client under a different certificate. So long as the certificate that it uses is fully trusted by the client, no problems occur.
That said, it means that the user cannot personally verify the identify of the target site - therefore your system would have to assume worst case scenario for any invalid SSL certificates and block the connection.
I am using ASP.Net + .Net 3.5 + VS 2008 + IIS 7.0 + C# to develop a web application. I want to use Fiddler to debug (i.e. monitor request and response Http traffic) local traffic -- i.e. when I test web application inside VSTS 2008's built-in test ASP.Net web server. Is that feasible? If yes, how to monitor such traffic? For example, in VSTS 2008's built-in ASP.Net test web application server, the Url I want to monitor request traffic sent to http://localhost:1870/Default.aspx and its response (i.e. when F5 is pressed in VSTS 2008).
BTW: I previously think Fiddler could only be used to monitor port 80 Http traffic, not sure whether port 1870 could be monitored?
Have you tried adding a dot after the localhost? Quick test on my machine seems to indicate this is needed in IE but might not be in Firefox actually.
If you change your URL to 'http://ipv4.fiddler:1870/..' instead of 'http://localhost:1870/...' then fiddler will intercept your traffic and display the requests. Localhost doesn't go through wininet (I believe) which fiddler will then ignore. Fiddler registers ipv4.fiddler as localhost so you can monitor local traffic.
You can also add an entry to your hosts file and direct some URL (e.g. mysite.com 127.0.0.1) and use it as your URL (e.g. http://mysite.com:1870/...) and fiddler will pick that up, too.
Doesn't fiddler ignore 'Localhost' try changing the url's to your machines hostname.