Note: Session includes demos and code samples. For optimal viewing, please sit near the front!
-
Upload
harriet-lamb -
Category
Documents
-
view
218 -
download
0
Transcript of Note: Session includes demos and code samples. For optimal viewing, please sit near the front!
Become a Web Debugging Virtuoso with Fiddler
Eric LawrenceProgram ManagerMicrosoft Corporation
CL25
Note: Session includes demos and code samples. For optimal viewing, please sit near the front!
Fiddler: Origins
Once upon a time…
Oh no! What happened?!?
There must be a better way…
Fiddler: Origins
ApplicationsNetwork
APIsProxy Website
Fiddler: Origins
Fiddler: Origins
Fiddler: Origins
+
Fiddler: version 1
> The first Fiddler build was released in October 2003.
Fiddler: Evolution
Six years,~17k lines of C#,
51+ release builds,and 700+ cans of Diet Mountain Dew
later…
Fiddler: Today
Understanding Extensibility
Fiddler 2
Fiddler ScriptEngine
Inspector2
Inspector2IFiddlerExtens
ion IFiddlerExtens
ion
Fiddler Proxy
Exe
cAct
ion.e
xe
Your FiddlerScript
Xceed*.dll Makecert.exe
You
r A
uto
mati
on
Getting to know Fiddler
A quick tour of the Fiddler UI
Demo
Scenario
Browsers, applications, and devices
Traffic Monitoring
Typical Architecture
Internet Explorer
WinINET
Office
CryptoAPI WinHTTP
Fiddler
Firefox
Upstream Proxy
example.com
Firewall
FiddlerHook for Firefox
Debug Across Machines
Fiddler
Mac
Internet
Lin
ux
Pock
etP
CPC
Tips & Tricks
> YourApp.exe.config<configuration> <system.net> <defaultProxy> <proxy bypassonlocal="false" usesystemdefault="true" /> </defaultProxy> </system.net></configuration>
> or, use http://ipv4.fiddler
Fiddler as a Reverse Proxy
Internet Explorer
WinINET
Office
CryptoAPI WinHTTP
Fiddler(Port 80)
Firefox
Upstream Proxy
IIS or Apache(Port 81)
Firewall
HTTPS Traffic DecryptionFiddler dynamically generates interception certificates chained to a self-signed root.
Scenario
Store Requests and Responses
Traffic Archiving
Fiddler has many output options
> Copy sessions to the clipboard> Store as a plaintext file> Extract binary response bodies> Archive to a database> Export a Visual Studio .WebTest file> Write your own…
The SAZ file format
Session Archive Zip files contain:
> Request and response bytes> Timing and other metadata> HTML index file
For security, SAZ files may be encrypted
FiddlerCap – Lightweight capture tool
http://www.fiddlercap.com
Scenario
Examine Requests and Responses
Traffic Analysis
Filtering Traffic
> Ignore Images & CONNECTs> Application Type Filter> Process Filter> Using QuickExec> Using Find
Spying on IE 8 Accelerators
Demo
Spying on IE8’s Visual Search Suggestions
Demo
Traffic Comparison
Use WinDiff to compare HTTP requests and responses.
Automated (Passive) Analysis
http://websecuritytool.codeplex.com/
Scenario
Change the bytes
Traffic Manipulation
Automated Rewrites
> Simple Built-in Rules> The HOSTS extension
Breakpoint Debugging
Use Fiddler inspectors to
modify requests and responses….
Simple Filters
Flag, modify or remove headers from all requests and
responses.
Request Builder
Create hand-built HTTP requests, or
modify and reissue a request previously captured.
AutoResponder
Replay previously captured or generated traffic.
FiddlerScript
FiddlerScript – Request Modification
static function OnBeforeRequest(oS: Session){
if (oS.uriContains(".aspx")) { oS["ui-color"] = "red";}
if (m_DisableCaching){ oS.oRequest.headers.Remove("If-None-Match"); oS.oRequest.headers.Remove("If-Modified-Since"); oS.oRequest["Pragma"] = "no-cache"; }}
FiddlerScript – Response Modification
static function OnBeforeResponse(oS: Session) {
oS.utilDecodeResponse(); oS.utilPrependToResponseBody("Injected Content!");
}
Scenario
Optimizing Performance with Fiddler
Performance
Build faster websites and services
> Reduce request & response size> Reduce roundtrips> Optimize Compression> Optimize Caching> Simulate Slower Speeds
Expert Analysis with neXpert
Beware the Observer Effect
> Use Fiddler to improve performance> Be careful when using Fiddler to
measure performance
Streaming Mode
Timeline view of Buffering Mode
Timeline view of Streaming Mode
NetMon + VRTA
To minimize Observer Effect when taking low-level timing measurements, prefer packet-sniffer tools.
Scenario
Integrating Fiddler into your tools
Test Integration
ExecAction.exe
> Calls into OnExecAction in script or extensions
> Alternatively, invoke directly by sending a Windows Message:
oCDS.dwData = 61180; // Magic CookieoCDS.cbData = strlen(sData);oCDS.lpData = sData;
SendMessage( FindWindow(NULL, "Fiddler - HTTP Debugging Proxy"),WM_COPYDATA,NULL,(LPARAM) &oCDS);
>>FUTURE
Fiddler 2
Fiddler ScriptEngine
Inspector2
Inspector2IFiddlerExtens
ion IFiddlerExtens
ion
FiddlerCore
Exe
cAct
ion.e
xe
YourApp.exe
FiddlerCore
Fiddler application with extensions
Your application hosting FiddlerCore
Your FiddlerScript
Xceed*.dll
Makecert.exe
Makecert.exe
Programming with FiddlerCore
// Call Startup to tell FiddlerCore to begin // listening on the specified port, register as // the system proxy and decrypt HTTPS traffic.Fiddler.FiddlerApplication.Startup(8877, true, true);
Fiddler.FiddlerApplication.BeforeResponse += delegate(Fiddler.Session oS) { Console.WriteLine("{0}:HTTP {1} for {2}", oS.id, oS.responseCode, oS.fullUrl); }; // Call Shutdown to tell FiddlerCore to stop// listening and unregister as the system proxyFiddler.FiddlerApplication.Shutdown();
>>FUTURE
Fiddler Futures
> VS2010 & .NET 4.0> You tell me!
www.fiddler2.com/pdc/
Questions?
YOUR FEEDBACK IS IMPORTANT TO US!
Please fill out session evaluation
forms online atMicrosoftPDC.com
Learn More On Channel 9
> Expand your PDC experience through Channel 9
> Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses
channel9.msdn.com/learnBuilt by Developers for Developers….
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.