Site certificate fails when I enable https decryption in Fiddler 4 - powershell

I have a PowerShell script that uploads a batch of files to lingq.com.
I created it the following way: I logged in to the site via browser, and made an upload manually through the web page. I grabbed the request in Fiddler, then duplicated it in PowerShell, including the authentication cookies. I'd just swap out the content of the request and send it. It wasn't pretty, but it worked and saved me an immense amount of time. The only downside was every time I had to log in to the site again, my authentication cookies got invalidated and I had to grab them again. But that I could live with.
They seem to have changed all their communication to https, because now instead of a request to
http://www.lingq.com/learn/ja/import/contents/?add
all I see in Fiddler is
"Tunnel to www.lingq.com/443"
Fiddler also gives me a warning that HTTPS decryption is disabled. When I enable it, and start capturing, Firefox gives me a certificate error when I try to access the site (or any other site that uses certificates, including Google):
www.lingq.com uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
My script is now completely useless, every request I send returns the login page. And because of Fiddler messing up the certificates, I can't further reverse engineer the site to mimic the requests correctly.
How can I make https decryption work in Fiddler? Alternatively, is there a way my script can properly authenticate itself on the site? I have tried the steps described here:
How to make an authenticated web request in Powershell?
It didn't work at all. My guess is some sort of federated authentication is in place, but frankly I'm completely out of my depth here.

Related

Fiddler not capturing traffic from certain host

I want to capture traffic from a host using HTTP, but I do not see a response coming back. If I close fiddler, my application runs as normal.
I see '-' in the Result section, where it should have been an HTTP response code. If I manually execute the request using Composer, I get a 200 response. Fiddler is able to capture traffic from all other web applications without issue.
I have installed Fiddler certificate. Troubleshooting Mode returns 200. The host does not use HTTPS, but I have enabled Capture HTTPS Connects anyways.
I am using Fiddler v5.0.20182
Some applications performs certificate pinning. Also web applications can perform certificate pinning e.g. via HTTP Public Key Pinning (HPKP). If you have ever used the web application in your browser without Fiddler, the web app public key has been downloaded and cached in the web-browser.
Afterwards the Fiddler root certificate is no longer accepted for that site/app even it it has been installed correctly. You should be able to identify such problematic connections in Fiddler if you only see a CONNECT request but no subsequent requests to the same domain.
To delete the HPKP in your web browser you should use a fresh profile or clear the complete browser cache. Afterwards only use it with activated Fiddler proxy and SSL decryption. As far as I know Fiddler will remove HPKP data from responses so that the web application should also work with Fiddler in between.
I think you should be able to uncheck the options for https, uncheck the boxes which appear checked here? Or you might be able to skip decryption by adding the host in the box below where it says Skip decryption for the following hosts

Can't turn off Facebook Secure Browsing

I'm developing a Facebook canvas app. I don't have a SSL certificate so I've been using a plain http:// URL + sandbox mode for the creation and testing process.
Suddenly I realized my Facebook account turned to Secure Browsing mode and I'm unable to turn it off via Account Settings >> Security >> Secure Browsing. There is no "edit" button. None of my co-workers experienced the same problem. Their Secure Browsing option is off, editable and the app is visible. Anyone familiar with the same issue?
If you're testing your app you shouldn't really need to disable HTTPS, nor is that really a representative test if you're using HTTP but almost all your users will be using HTTPS (as is the case with Facebook)
It'd be better to get a free cert from startssl.com or similar free CAs, use OpenSSL to generate an in-house CA or self-signed certs, or accept the certificate warnings from the default cert that ships in your webserver, if any, than to disable the secure browsing option on your Facebook account for this purpose;
As for the option itself in the Facebook setting, that's somewhat off topic for here, and I'm unsure what the exact status is but I believe the option to browse Facebook insecurely is being phased out
Another option for testing is to run a test server with a separate proxy to your production environment (e.g nginx) for test purposes and log all the traffic to that server for debugging

Need to set up SSL for facebook site apps to work, any suggestions? I do not need to protect passwords or anything

facebook is forcing apps to use HTTPS, i have been looking in to openSSL, but i really cannot get my head around on how to install it, i am using godaddy and it runs on a linux server, i dont think i can execute from any command line.
I need to have a valid HTTPS link, a self signed certificate it OK, but i cannot seem to get one up on GoDaddy, can i redirect all HTTPS to HTTP, would that work? via .htacess
Any suggestions are welcome!
I had the exact same problem Yesterday, and quickly found a way around this without having to move my application to a server with SSL.
Facebook only validates the starting URL to be https://..... however, you are not forced to use ssl from there on forward. Thus I simply created a free Heroku account (you can use any other hosting provider that supports SSL) and added a index.php file with the following code:
<?php
header( 'Location: http://my.app.url' );
When the IFrame is loaded, it will automatically redirect to your application hosted on a non-ssl server and will work without any problems.
For more information you can check out my blog post http://www.xethron.co.za/building-a-facebook-app-on-a-host-without-https-ssl-support

Redirecting https://server.com to https://www.server.com in apache

I am trying to write a redirect in apache for URL of pattern:
https://server.com to https://www.server.com
without much success
Reason for rediect: My SSL certificate is on www.server.com, so I want the users to go on the correct site (and see secure icon).
Problem: The problem is that when I try to open https://server.com the browser gives me incorrect certificate error and none of my RewriteRule gets executed till I ignore the incorrect certificate problem.
How do I redirect in this case?
You can't do this with one certificate. The reason is that the web server needs to do the ssl handshake before it does the redirect, so you'll always have the problem with invalid certificate.
You really have only one option to do this - cover both, www and no www with a certificate and redirect. This can be done several ways, either get a certificate with multiple domain names called a SAN certificate, or get two certificates, one for www and one without. However, in the second case, you would need two web servers with different ip's to accomplish your task.
An alternate approach, one that use myself, is not to worry about it. Instruct users to go to regular http website and do the redirection yourself when SSL Cconnection is needed. This is what amazon.com does actually. They want you to browse http and they redirect you to SSL only when you buy something. Their certificate is also only valid for www, just go to https://amazon.com and you'll see their certificate is invalid without www

How to persuade Java Web Start to actually remember password?

I use Java Web Start. The file is on http server, that needs name and password (it's windows server). What the Java Web start does is this (with user and IP redacted):
The same on MS Windows client. There is this "Save this password in your password list" option, that does nothing at all (on both Mac OS and Windows), when running this java web start app again, it wants the password again.
Is it a bug in JWS? Or what is going on exactly?
I just had the same problem.
turns out you need to restart your web browser to have the java remember your password.
I also allowed that java cache, but i dont think that was the solution.
I've implemented a workaround for this problem. You can use some kind of cookie based authentication for supporting password authentication.
In my case when a successfull login happens using the HTTP basic authentication i send a cookie in my servlet which holds the username and password the same way the HTTP header contains it when Basic method is used (BASE64 encoded). Web Start stores this cookie in Internet Explorer's cookie store on Windows (on other systems Web Start has it's own cookie store). Web Start then sends this cookie everytime a resource is being accessed from my domain. You can specify a very long lifetime for the cookie (like 10 years) which will probably outlasts the current OS installation anyway.
On subsequent requests i check for the present of the cookie and try to validate the user according to that. If the Cookie auth is invalid and no HTTP Authorization header received (or that's invalid also) i'm sending the HTTP 401 Unauthorized status.
The disadvantage is that username and password is being stored as a cookie on the computer. The password is being sent through the network the same way as with HTTP Basic authentication just in a different header so you can protect it with HTTPS.
This also solves the lack of password remembering option on Linux Web Start.
I implemented the cookie idea, the trouble is now, how do you clear the cookie, if you want to? I mean, nice that the cookie is persistent, but what if the user wants to clear the cookie? As far as I see, the Java console has no option to do it. Clearing the web start cache doesn't seem to do it. On Windows, supposedly IE stores it, so IE gives an interface (haven't tested it myself). But on Mac and presumably Linux, I just can't find out where they are stored. Tried looking in preferences files, and tried blowing away the whole Java cache folder, but they are still stored somewhere. Anyone have an idea?