Become a Web Debugging Virtuoso with Fiddler

Eric LawrenceProgram ManagerMicrosoft Corporation

CL25

Note: Session includes demos and code samples. For optimal viewing, please sit near the front!

Fiddler: Origins

Once upon a time…

Oh no! What happened?!?

There must be a better way…

Fiddler: Origins

ApplicationsNetwork

APIsProxy Website

Fiddler: Origins

Fiddler: Origins

Fiddler: Origins

+

Fiddler: version 1

> The first Fiddler build was released in October 2003.

Fiddler: Evolution

Six years,~17k lines of C#,

51+ release builds,and 700+ cans of Diet Mountain Dew

later…

Fiddler: Today

Understanding Extensibility

Fiddler 2

Fiddler ScriptEngine

Inspector2

Inspector2IFiddlerExtens

ion IFiddlerExtens

ion

Fiddler Proxy

Exe

cAct

ion.e

xe

Your FiddlerScript

Xceed*.dll Makecert.exe

You

r A

uto

mati

on

Getting to know Fiddler

A quick tour of the Fiddler UI

Demo

Scenario

Browsers, applications, and devices

Traffic Monitoring

Typical Architecture

Internet Explorer

WinINET

Office

CryptoAPI WinHTTP

Fiddler

Firefox

Upstream Proxy

example.com

Firewall

FiddlerHook for Firefox

Debug Across Machines

Fiddler

Mac

Internet

Lin

ux

Pock

etP

CPC

Tips & Tricks

> YourApp.exe.config<configuration>  <system.net>    <defaultProxy>      <proxy bypassonlocal="false" usesystemdefault="true" />    </defaultProxy>  </system.net></configuration>

> or, use http://ipv4.fiddler

Fiddler as a Reverse Proxy

Internet Explorer

WinINET

Office

CryptoAPI WinHTTP

Fiddler(Port 80)

Firefox

Upstream Proxy

IIS or Apache(Port 81)

Firewall

HTTPS Traffic DecryptionFiddler dynamically generates interception certificates chained to a self-signed root.

Scenario

Store Requests and Responses

Traffic Archiving

Fiddler has many output options

> Copy sessions to the clipboard> Store as a plaintext file> Extract binary response bodies> Archive to a database> Export a Visual Studio .WebTest file> Write your own…

The SAZ file format

Session Archive Zip files contain:

> Request and response bytes> Timing and other metadata> HTML index file

For security, SAZ files may be encrypted

FiddlerCap – Lightweight capture tool

http://www.fiddlercap.com

Scenario

Examine Requests and Responses

Traffic Analysis

Filtering Traffic

> Ignore Images & CONNECTs> Application Type Filter> Process Filter> Using QuickExec> Using Find

Spying on IE 8 Accelerators

Demo

Spying on IE8’s Visual Search Suggestions

Demo

Traffic Comparison

Use WinDiff to compare HTTP requests and responses.

Automated (Passive) Analysis

http://websecuritytool.codeplex.com/

Scenario

Change the bytes

Traffic Manipulation

Automated Rewrites

> Simple Built-in Rules> The HOSTS extension

Breakpoint Debugging

Use Fiddler inspectors to

modify requests and responses….

Simple Filters

Flag, modify or remove headers from all requests and

responses.

Request Builder

Create hand-built HTTP requests, or

modify and reissue a request previously captured.

AutoResponder

Replay previously captured or generated traffic.

FiddlerScript

FiddlerScript – Request Modification

static function OnBeforeRequest(oS: Session){

if (oS.uriContains(".aspx")) { oS["ui-color"] = "red";}

if (m_DisableCaching){ oS.oRequest.headers.Remove("If-None-Match"); oS.oRequest.headers.Remove("If-Modified-Since"); oS.oRequest["Pragma"] = "no-cache"; }}

FiddlerScript – Response Modification

static function OnBeforeResponse(oS: Session) {

oS.utilDecodeResponse(); oS.utilPrependToResponseBody("Injected Content!");

}

Scenario

Optimizing Performance with Fiddler

Performance

Build faster websites and services

> Reduce request & response size> Reduce roundtrips> Optimize Compression> Optimize Caching> Simulate Slower Speeds

Expert Analysis with neXpert

Beware the Observer Effect

> Use Fiddler to improve performance> Be careful when using Fiddler to

measure performance

Streaming Mode

Timeline view of Buffering Mode

Timeline view of Streaming Mode

NetMon + VRTA

To minimize Observer Effect when taking low-level timing measurements, prefer packet-sniffer tools.

Scenario

Integrating Fiddler into your tools

Test Integration

ExecAction.exe

> Calls into OnExecAction in script or extensions

> Alternatively, invoke directly by sending a Windows Message:

oCDS.dwData = 61180; // Magic CookieoCDS.cbData = strlen(sData);oCDS.lpData = sData;

SendMessage( FindWindow(NULL, "Fiddler - HTTP Debugging Proxy"),WM_COPYDATA,NULL,(LPARAM) &oCDS);

>>FUTURE

Fiddler 2

Fiddler ScriptEngine

Inspector2

Inspector2IFiddlerExtens

ion IFiddlerExtens

ion

FiddlerCore

Exe

cAct

ion.e

xe

YourApp.exe

FiddlerCore

Fiddler application with extensions

Your application hosting FiddlerCore

Your FiddlerScript

Xceed*.dll

Makecert.exe

Makecert.exe

Programming with FiddlerCore

// Call Startup to tell FiddlerCore to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic.Fiddler.FiddlerApplication.Startup(8877, true, true);

Fiddler.FiddlerApplication.BeforeResponse += delegate(Fiddler.Session oS) { Console.WriteLine("{0}:HTTP {1} for {2}", oS.id, oS.responseCode, oS.fullUrl); }; // Call Shutdown to tell FiddlerCore to stop// listening and unregister as the system proxyFiddler.FiddlerApplication.Shutdown();

>>FUTURE

Fiddler Futures

> VS2010 & .NET 4.0> You tell me!

www.fiddler2.com/pdc/

Questions?

YOUR FEEDBACK IS IMPORTANT TO US!

Please fill out session evaluation

forms online atMicrosoftPDC.com

Learn More On Channel 9

> Expand your PDC experience through Channel 9

> Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses

channel9.msdn.com/learnBuilt by Developers for Developers….

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.