Byon June 8, 2010 8:00 AM
Fiddler2 is a great tool for doing web inspection, but it also provides excellent tooling for modifying data in HTTP requests while on Windows. On Linux, I usually use WebScarab or Paros, both of which are cross-platform in Java, but I find that Fiddler is a better project when on Windows.
To provide a simple example of using Fiddler2 for web debugging, I’m going to talk about the workflow for the Doctor Who: The Adventure Games geolocation check, and discussing how it can be examined using Fiddler (as I was on Linux, I used tcpdump and wireshark, but that gave me a TON of noise). First, install and start Fiddler. I would probably immediately go to the File menu and make sure that ‘Capture Traffic’ is turned off, so that it doesn’t overwhelm you immediately. Then, go the Filter’s tab on the right part of the screen:
You’ll then want to set the options the way that I have above. Set the Host Filter to only show the following hosts, then put
www.bbc.co.uk in the list. Then, filter to only the
/doctorwho/tag/api/geo/isukrequest URL path. Then, we want to break, and to do that we’ll break response on Content-Type:
text/plain. This will ensure that we can intercept the response for any geolocation request from this particular API.
Firing up the installer, watch your fiddler window, until you see the following show up in the Web Sessions window:
Click on that line, and then choose the “Inspectors” tab, instead of the “Filters” tab on the right. You should then see the following on the bottom half of the view:
From the drop-down select the “200_SimpleHTML.dat” option, then click on the “TextView” option, and change the content to
1. Click Run To Completion, and you should be done.
Fiddler2 is an awesome tool for web developers, however it, or another Web Proxy, should be a core tool in any security toolset. Seeing how an application responds to simple tweaks of the input or output is really interesting, and is at the root of most security research. If Fiddler has any apparent weakness, it’s that I don’t see a good way to automate fuzzing responses and the like, however, that may just be something I’m not seeing.