How to stop Fiddler displaying 407 and Tunnel To - fiddler

How can I stop Fiddler displaying the "407" and "Tunnel To" which look to be generated twice before each successful "200"
GET http://i.stack.imgur.com/G1dzB.png 407 Proxy Authentication Required
( Access is denied. ) (text/html)
GET http://i.stack.imgur.com/G1dzB.png 407 Proxy Authentication Required
( Access is denied. ) (text/html)
GET http://i.stack.imgur.com/G1dzB.png 200 OK (image/png)
and
CONNECT http://www.gravatar.com:443 407 Proxy Authentication Required
( Access is denied. ) (text/html)
CONNECT http://www.gravatar.com:443 407 Proxy Authentication Required
( Access is denied. ) (text/html)
CONNECT http://www.gravatar.com:443 200 Connection established ()
I've enabled the Rule / Hide CONNECTs and the Filter / Show Only Intranet Hosts, but I still get these sessions
[Update]
Tried the customize rules, OnBeforeRequest and added ...
if (oSession.HTTPMethodIs("CONNECT")) {
// works, the sessions are green
// oSession["ui-color"] = "green";
// doesn't work, the sessions appear in grey!
// oSession["ui-hide"] = "true";
}

Steve-- If you want to get a precise answer, save some traffic using File > Save > Session Archive Zip and share the SAZ file (or send using Help > Send Feedback) and I'll have a look.
HTTP/407s are shown because your client is behind an authenticating proxy server; each new connection results in an exchange of credentials to the proxy before the request is sent to the remote web server.
CONNECT requests are shown because when your client sends HTTPS requests, it first sends a CONNECT to Fiddler to tell it where to connect (because your client doesn't expect a proxy like Fiddler to be able to decrypt the secure traffic).
Using the Filters or ui-hide flag should work just fine; it's possible that it's not hiding for a few different reasons, including HTTP Errors or if Fiddler itself generated the requests (which might happen if you enabled Rules > Automatically Authenticate, for instance).
A SAZ file will show me exactly what's going on.

Related

Fiddler not capturing traffic from certain host

I want to capture traffic from a host using HTTP, but I do not see a response coming back. If I close fiddler, my application runs as normal.
I see '-' in the Result section, where it should have been an HTTP response code. If I manually execute the request using Composer, I get a 200 response. Fiddler is able to capture traffic from all other web applications without issue.
I have installed Fiddler certificate. Troubleshooting Mode returns 200. The host does not use HTTPS, but I have enabled Capture HTTPS Connects anyways.
I am using Fiddler v5.0.20182
Some applications performs certificate pinning. Also web applications can perform certificate pinning e.g. via HTTP Public Key Pinning (HPKP). If you have ever used the web application in your browser without Fiddler, the web app public key has been downloaded and cached in the web-browser.
Afterwards the Fiddler root certificate is no longer accepted for that site/app even it it has been installed correctly. You should be able to identify such problematic connections in Fiddler if you only see a CONNECT request but no subsequent requests to the same domain.
To delete the HPKP in your web browser you should use a fresh profile or clear the complete browser cache. Afterwards only use it with activated Fiddler proxy and SSL decryption. As far as I know Fiddler will remove HPKP data from responses so that the web application should also work with Fiddler in between.
I think you should be able to uncheck the options for https, uncheck the boxes which appear checked here? Or you might be able to skip decryption by adding the host in the box below where it says Skip decryption for the following hosts

Sending ClientCertificates from HttpWebRequest via Fiddler

I am trying to send out a WebRequest request like https://identityserver.github.io/Documentation/docsv2/advanced/clientCerts.html specifies with a handler containing the Client Certificate.
I've gotten to the point that i have determined that the ClientCertificate is just not being sent through fiddler, so it is not read in the ServerVariables["CERT_FLAGS"] when the Owin LoadCertificate is called.
So i have removed all the steps from the process except (IdentityServer3.Samples/source/Clients/ClientCertificateConsoleClient/Program.cs)
async Task<TokenResponse> RequestTokenAsync()
{
var cert = new X509Certificate2("Client.pfx");
var handler = new WebRequestHandler();
handler.ClientCertificates.Add(cert);
var client = new TokenClient(
Constants.TokenEndpoint,
"certclient",
handler);
return await client.RequestClientCredentialsAsync("read write");
}
but I am still not seeing in fiddler in the raw request the certificate. I have looked at the source code for HttpWebRequest and only see it handles the ClientCertificate in the GetConnectionGroupLine, and then its a hash code which i also don't see in fiddler. I'm working with Windows 7 and i have turned on the iis client certificate mapping authentication and enabled the setting in iis express applicationhost in the 2015 .vs subfolder and the primary one in my docuemnts. What am I missing here?
reference: https://social.msdn.microsoft.com/Forums/en-US/f88a23f2-3dbe-4202-baf2-a5b05b027fe6/httpwebrequest-not-sending-client-certificate-to-server?forum=netfxnetcom
https://github.com/IdentityServer/IdentityServer3/issues/3220 - can't really find this on stackoverflow..
TLDR: Your problem (at this point) is Fiddler not HttpWebRequest/dotnet. (Edited to clarify.)
Fiddler doesn't display TLS info including certs. Fiddler works on, and displays in numerous formats, the HTTP-level data (requests and responses, including application data). When HTTPS transports this HTTP data over SSL/TLS, Fiddler does not display the SSL/TLS-specific data, which in addition to server and optional client certificates (currently) includes version, suite, possibly compression, curve, format and next-protocol negotiation, nonces, ephemeral keys, renegotiation control, signature algorithm control, server name indication, ticket, and other crypto options like encrypt-then-mac and extended-master-secret. The "raw" tab displays all the HTTP data without interpretation, but not the SSL/TLS data.
Fiddler doesn't request client auth. An SSL/TLS session uses a client certificate to perform client authentication only when requested by the server, and when your client connects to the real IdentityServer it presumably requests this. But when Fiddler is used, there is one SSL/TLS session from the client to Fiddler, and an entirely separate SSL/TLS session from Fiddler to the server. On the session from your client to Fiddler, Fiddler does not request client authentication, so your client doesn't and can't send or use its certificate.
Client auth can't be relayed anyway. If Fiddler did request client auth on the session from your client, it couldn't use that information to authenticate the session to the real server. Client auth doesn't just send the client cert, it also uses the private key to sign the concatenation (called a transcript) of the handshake messages. Since the handshake between your client and Fiddler and between Fiddler and the server are quite different, this signature is invalid for the server-side handshake and sending it would (correctly) be rejected as invalid by the server.
Instead Fiddler can do the client auth. If you want to route HTTPS traffic using client auth through Fiddler, you need to instead configure Fiddler to do the client auth on the session with the server; for a fixed setting you can just drop the identifying certificate in Fiddler's config directory, for per-session settings you need to write some FiddlerScript. The private key (and chain) needs to be in the Windows cert store, not (just) in a file. See:
http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/RespondWithClientCert
https://www.fiddlerbook.com/fiddler/help/httpsclientcerts.asp
Fiddler: Respond to Requests Requiring a Client Certificate (on SO)
https://security.stackexchange.com/questions/72916/can-fiddler-decrypt-https-traffic-when-using-elliptic-curves-client-cert-authe
If your actual problem is getting the client to support client auth when NOT using Fiddler, you need to take Fiddler out of the situation and use other debugging tools like a network trace.

How to use Postman with OSWAP Zap Proxy?

I'm trying to explore a REST API using ZAP and Postman but I get an error probably because I didn't set up something right.
Should I add the SA certificate from ZAP to Postman?
Could not get any response
There was an error connecting to http://myurl.
Why this might have happened:
The server couldn't send a response:
Ensure that the backend is working properly
Self-signed SSL certificates are being blocked:
Fix this by turning off 'SSL certificate verification' in Settings > General
Proxy configured incorrectly
Ensure that proxy is configured correctly in Settings > Proxy
Request timeout:
Change request timeout in Settings > General

Fiddler2: Decrypt HTTPS traffic and Tunnel to host:443

I use Fiddler2 to analyse some pages that use https connections. I enabled HTTPS decryption, but I still see some Tunnel to host:443 entries in my log. I can see decrypted HTTPS traffic in the log, so I assume the decyption works.
I think, that a Tunnel to host:443 entry is created in addition to the decrypted log entry when the connection is opened.
Is my assumption correct or did I miss something?
Yes, this is expected.
If you click on Tunnel to Host:443 you'll see the following on the Statistics tab:
The selected session is a HTTP CONNECT Tunnel. This tunnel enables a client to
send raw traffic (e.g. HTTPS-encrypted streams or WebSocket messages) through
a HTTP Proxy Server (like Fiddler).
You can automatically hide these tunnels if you like by clicking Rules > Hide Connects.
My HTTPS interception and decryption stopped working and this message was also in my logs.
Perhaps it is unrelated but I was able to resolve but exporting the Fiddler certificate to Desktop (Tools > Fiddler Options > Export Root Certificate to Desktop), double clicking it to install it and restarting Fiddler and my Browser.

Accessing Proxy over HTTPS doesnt work

created a webserver(http port 80, https:443) and proxy server(http 8080,https:8081)
am seeing issue when I access proxy over https like
https://xyz:8081/
wireshark shows client(fireforx or chrome) is sending certificate data in HTTP packet , I see certificate text .
Any idea what could be wrong ? browser says no data received
If TLS session is already established(https webserver) would another TLS sessions is created if I try to access https proxy ?
I created SSL socket like
ctx_init
put the socket on select and did accept/sslaccept once I get
and then did SSL_Read
NB: Rest all access like http/https to webserver or http to proxy server works fine.
Updates: Issue was client was sending fragmented HTTP request
So for a GET request it was sent by client like this
Packet 1 was GE
Packet 2 was rest T ....\r\n\r\n
So in code I have to collect until until full HTTP packet is received