When building a modern website, there are many different security options which can be configured using HTTP response headers, for instance:

Fiddler has always made it easy for you to see these directives in the Headers Response Inspector:

image

… and you can easily add any individual header to the Web Sessions list as its own column. Simply right-click the column headers and choose Customize Columns… Select the Response Headers collection and type the name of the header you’d like to see:

image

Security Summary

New to Fiddler 2.4.9.4, a new Security Headers computed field is available to add to the columns list:

image

This custom column automatically summarizes the response’s Content-Security-Policy, Strict-Transport-Security, Public-Key-Pins, Access-Control-Allow-Origin, X-XSS-Protection, X-Frame-Options, and X-Content-Type options into one succinct string:

image

For Strict-Transport-Security and Public-Key-Pins, the duration of the policy is shown (e.g. 243Months for Twitter) as well as whether the includeSubdomains flag is set (+Sub). For X-Frame-Options, the policy is summarized (d=Deny, s=SameOrigin, a=AllowFrom); for X-XSS-Protection, the summary shows whether protection is enabled and whether blocking behavior (“block”) is enabled. Content-Security-Policy headers aren’t easily summarized, so a simple CSP token is shown if a policy is present.

If any of the headers contains an invalid value or appears in violation of the standards, an exclamation point will be shown in the policy string. You can thus easily search for any resources with invalid policies by simply searching the column:

image

image

Adding Custom Information

Of course, there may be other types of security-related information you want to see in Fiddler. For instance, you may want to identify HTTPS certificates that use the SHA-1 hash algorithm or weak RSA keys. Fiddler doesn’t have a built-in column provider that exposes this data, but you can easily add one with FiddlerScript. Simply click Rules > Customize Rules and inside your Handlers class, add the following block:

  public static BindUIColumn("CertInfo")
  function ShowCertHash(oS: Session): String
  {
    return oS.oFlags["X-Cert-Info"];
  }

This block creates a new column named “CertInfo” that will display the value of the Session’s X-Cert-Info flag. Now, that flag doesn’t exist in Fiddler’s set of existing flags, so we also must the following code inside the OnPeekAtResponseHeaders function:

  if (oSession.isHTTPS)
  {  
    try
    {
       var oC: System.Security.Cryptography.X509Certificates.X509Certificate2 = null;
       
       if ((null == oSession.oResponse) || (null == oSession.oResponse.pipeServer) ||
        !(oC = oSession.oResponse.pipeServer.ServerCertificate))
            oSession["X-Cert-Info"] = "No Path to cert";
        else
        {
            var sKey = "?";
            try
            {
                sKey = oC.PublicKey.Key.KeySize.ToString() + "bits";
            }
            catch(e)
            {
                // .NET Throws on non-RSA/DSA keys like ECC
                sKey = oC.GetKeyAlgorithm();
                if (sKey == "1.2.840.10045.2.1") sKey = "ECC";
            }
               
            oSession["X-Cert-Info"] = ("Key:" + sKey + " Hash:"
                + oC.SignatureAlgorithm.FriendlyName);
        }
   
    }
    catch (e) { oSession["X-Cert-Info"] = "JSErr" + e.message;}
  }

This block evaluates the server’s certificate and caches the key and hash information in the X-Cert-Info flag which will be displayed using the BindUIColumn block created earlier.

After you save your updated FiddlerScript file, the server’s certificate information is now displayed in its own column.

image

Fiddler is one of the easiest ways to expose important security information about your site. Even if Fiddler doesn’t natively show something you’re interested in, its versatility means you can usually easily extend it to show whatever you need.


About the Author

Eric Lawrence

(@ericlaw) has built websites and web client software since the mid-1990s. After over a decade of working on the web for Microsoft, Eric joined Telerik in October 2012 to enhance the Fiddler Web Debugger on a full-time basis. With his recent move to Austin, Texas, Eric has now lived in the American South, North, West, and East.

Related Posts

Comments

Comments are disabled in preview mode.