100 likes | 282 Views
Fiddler. Ana Bozianu Cristian Sum ă naru. History. First released in 2003 – supported most viewing tasks v 1.x retired in 2007 v1.x had the following features: Performance statistics Auto Responder Request Builder Authentication inspector Filtering Menu e xtensibility via script
E N D
Fiddler Ana Bozianu Cristian Sumănaru
History • First released in 2003 – supported most viewing tasks • v1.x retired in 2007 • v1.x had the following features: • Performance statistics • Auto Responder • Request Builder • Authentication inspector • Filtering • Menu extensibility via script • v2.0 released in 2009 • v2.4.2.6 - Released 1/21/2013
Features • HTTP/HTTPS traffic recording • Capture traffic • View metrics • Filter captured traffic • Playback recorded traffic • Web debugging • Analyze session data • Decrypt and decompress web sessions
Features • Web session manipulation • Manipulate any HTTP(s) request or response • Set breakpoints • Compose HTTP(s) requests • Simulate original HTTP(s) traffic • Performance testing • Profile the performance of the web app • Flag performance bottlenecks • Simulate HTTP compression • Timeline for performance analysis
Features • Security testing • Automate SSL decryption • Security add-ons • Customizations • Create rules • Add inspectors • Extend with FiddlerScript and .NET code
Some Security Add-ons • Watcher - Passive Security Auditor • Runtime passive-analysis tool for Web applications. • It detects Web-application security issues as well as operational configuration issues
Some Security Add-ons • x5s - Automated XSS Security Testing Assistant • x5s aims to assist penetration testers in finding cross-site scripting vulnerabilities. • Its main goal is to help you identify the hotspots where XSS might occur by: • Detecting where safe encodings were not applied to emitted user-inputs • Detecting where Unicode character transformations might bypass security filters • Detecting where non-shortest UTF-8 encodings might bypass security filters
Some Security Add-ons • Ammonite - Security Scanner (commercial) • Ammonite is a web application security scanner extension for Fiddler. • Ammonite detects common vulnerabilities such as SQL injection, OS command injection, cross-site scripting, file inclusion, and buffer overflows. • Ammonite includes unique features that make it particularly well suited for penetration testers and security professionals.
Tool Comparison • Wireshark - Only captures packets + Better filtering • Firebug - Tracks each request in the browser - Mostly for client side debugging + Great javascript debugging
Demo • http://www.bayden.com/sandbox/