SungHoon_Kim

How to install fiddler and capture https traffic

Blog Post created by SungHoon_Kim Employee on Feb 15, 2016

I did not have intention to write this but it became necessary as part of writing "ALL-IN-ONE" VM image.

webagenttrace.log shows there was "SAVEDSESSION" cookie being set and wanted  to find out what that might be for and when it is being set and cleared.

 

If you want more information about fiddler and its use, please visit "www.telerik.com/fiddler".

 

Visit "Fiddler free web debugging proxy"(http://www.telerik.com/fiddler) and download.

There is option for .NET2 and .NET4.

 

 

After you install, starting up the fiddler will tell you there is a port conflict which is expected.

Click "Yes" to continue, then manually update the port to 9999 so it will not conflict in the future.

 

 

Once it starts up, it will check to see if there is any update. We don't need to see this each time we startup fiddler so it should be disabled.

Click on "Tools ==> Fiddler Options" then uncheck the "Check for updates on startup".

Then click on "HTTPS" tab and click on "Decrypt HTTPS traffic". This must be enabled so we can look at the encrypted contents.

Then you will be asked to "Trust the Fiddler Root certificate". Click "Yes" to import it.

Click "Yes" again to complete the import. Note the CA certificate name is called "DO_NOT_TRUST_FiddlerRoot".

You can find this in your Certificate store as below.

 

As the fiddler is a web proxy, working as the Man in the Middle, it will generate certificates for every site you access via https.

So, it can get messy later on but you can remove all the Fiddler generated certificates including the RootCA if you uncheck the "Decrypt HTTPS traffic" button and select "Remove All Certificates" from the "Actions" button.

But we will not do this at this moment.

Exit the fiddler completely and start it up again.

You will get the port conflict message again, this time select "No".

At the "Fiddler Options", update the listening port from 8888 to 9999 then click "OK".

 

As this acts as "System Proxy", you can now capture traffic from IE or Chrome.

As there was port conflict during startup, shutdown fiddler and start again. This time it will show it is capturing the traffic.

Fiddler has its limitation so it cannot submit the client for the browser. You need to give it access to the certificate.

 

Goto your IE's certificate store and select the user1's certificate and click "Export".

 

You do not need to export the private key.

 

And the certificate format does not matter, you can select "DER" format or Base-64.

 

Save it to correct filepath as instructed by fiddler.

 

Clear the fiddler screen, click on the "X" icon and select "Remove all" anytime you want to clear the captured traffic.

 

Fiddler also captures all traffic so it would be good to skip some of the traffic.

 

From the above screenshot, I do not want fiddler to capture clients4.google.com, translate.googleapis.com, ssl.gstatic.com and safebrowsing.google.com

Goto "Fiddler Options ==> Connections ==> Bypass Fiddler for URLs that start with:"

Then enter "*.google.com;" and "*.googleapis.com;" and "*.gstatic.com;" in separate lines and click "OK".

 

After restarting fiddler and chrome, you will notice you are not getting those unwanted sites anymore.

However, you will still see 3 weird looking requests as shown below.

Those are okay, refer to Issue 47262 - chromium - Chromes startup random DNS queries tracked in, and polluting users Google Web History -    *…

 

Now back to the Certificate and Form.

Fiddler is submitting the client certificate when the web server requests it.

Unfortunately, it will not prompt you for the client certificate as the fiddler will simply submit the certificate.

Also, you would have noticed that it supports only 1 client certificate(as you would have noticed when it asked you to save with specific file name).

 

To view the traffic, click on the request from the left pane.

Then on the upper right pane click on "Inspectors" and it will show the request(upper right) and response(lower right) panes.

Note the protocol at the left pane shows it is HTTPS and at the right pane you are seeing the encrypted content.

Outcomes