Chained Fiddler Proxies Not Work For HTTPS

9 posts, 0 answers
  1. jack
    jack avatar
    4 posts
    Member since:
    Mar 2015

    Posted 10 Mar 2015 Link to this post

    Hi Eric,

    I've created a chained HTTP/HTTPS proxy with fiddler. The whole system works as following:
    proxy1 is deployed at client side. It encrypts the requested host and content, then pass it to proxy2 at server side. proxy2 decrypts the request, pass it to target websites, then encrypts the response and send it back to proxy1.

    Everything works fine but for HTTPS. The source code and Wireshark pcap file are as following. Please kindly let me know how to get this work.

    Server code

    Client code

    Pcap file


    Regards,
    Jack Wang
  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 13 Mar 2015 Link to this post

    Hi, Jack--

    It's not really clear what you're asking.

    Your client.cs file shows a FiddlerCore program which sets X-OverrideHost on every request and which disables all HTTPS security by trusting every certificate.

    Your server.cs file shows a FiddlerCore program that doesn't do anything at all.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  3. jack
    jack avatar
    4 posts
    Member since:
    Mar 2015

    Posted 16 Mar 2015 in reply to Eric Lawrence Link to this post

    Hi Eric,

    Thanks to your awesome FiddlerCore, the code IS simple yet working. The core concept lies in the server proxy-client proxy model. It works as following:
    1. The client.cs is deployed at client pc side. User points his web proxy to client.cs. Then all user requests goes to client.cs.
    2. client.cs make some encryption to the content(the code is removed for clarity), then send it to server.cs(via X-OverrideHost), which is deployed remotely.
    3. server.cs accepts the encrypted user request, decrypts the content(the code is also removed for clarity), then send the response back to client.cs.
    4. This is basically a remote web proxy, the only difference is that the user requests are encrypted before they are sent to server. 

    My question is, the code attached works fine for HTTP requests, but not OK for HTTPS. Can you please kindly take another look into it?




  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 17 Mar 2015 Link to this post

    Your message is:

    "I sent you some code that doesn't work."
    "The code that I'm actually using does work."
    "But the code that I'm using doesn't always work."
    "Please debug the code I didn't send you."

    Obviously, that's not something I can help with.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  5. jack
    jack avatar
    4 posts
    Member since:
    Mar 2015

    Posted 18 Mar 2015 in reply to Eric Lawrence Link to this post

    No. The code I post behaves exactly the same as the code I have: works for HTTP, doesn't work for HTTPS.
    Anyway, now I've uploaded the code I'm using. Hope it helps.

    ClientProxy.cs
    ServerProxy.cs
    sln files
  6. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 19 Mar 2015 Link to this post

    It might be helpful for you to explain how you think your code works, and what problem specifically occurs.

    The client.cs file you've shared does not encrypt the request; it appears to attempt to obfuscate the hostname of the request using a character rotation, and obfuscate the body of the request using a byte rotation.

    Among other problems, this code doesn't work properly because you haven't set oSession.bBufferResponse inside the BeforeRequest handler, which means that the BeforeResponse byte rotation code runs AFTER the proxy has already streamed the complete body to the client.

    Your code shouldn't touch the request or response body at all in the case that oSession.HTTPMethodIs("CONNECT")

    Your code doesn't have any handlers to emit the Logging messages (as shown in the demo program) which means that it will not notify you of any problems it encounters as it runs.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  7. jack
    jack avatar
    4 posts
    Member since:
    Mar 2015

    Posted 25 Mar 2015 in reply to Eric Lawrence Link to this post

    Hi Eric,

    Following picture shall explain how the code works: FiddlerProxy.png

    Thanks very much for pointing out the mistakes, I've updated the code:ProxyClient.csProxyServer.cs.

    But the issue still exists: even though I kept CONNECT untouched, the code still works only for HTTP, but no luck in HTTPS.

    Thanks for help,
    Jack


  8. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 25 Mar 2015 Link to this post

    Hello, Jack--

    Have you tried stepping through your code in a debugger to see how it's working?

    It's entirely possible that your code fails because the certificates are not being created properly or a similar problem. You should update your code to emit logging information:

    Fiddler.FiddlerApplication.OnNotification += delegate(object sender, NotificationEventArgs oNEA) { Console.WriteLine("** NotifyUser: " + oNEA.NotifyString); };
    Fiddler.FiddlerApplication.Log.OnLogString += delegate(object sender, LogEventArgs oLEA) { Console.WriteLine("** LogString: " + oLEA.LogString); };

    ...and watch for any notices.

    Your code almost certainly still isn't working the way you think it is. ProxyClient.cs and ProxyServer.cs only enable buffering of the response if the REQUEST headers have a Content-Type of text/, while you almost certainly want to check the RESPONSE Content-Type.




    Regards,
    Eric Lawrence
    Telerik
     

    See What's Next in App Development. Register for TelerikNEXT.

     
  9. jack
    jack avatar
    4 posts
    Member since:
    Mar 2015

    Posted 03 Apr 2015 in reply to Eric Lawrence Link to this post

    Hello Eric,

    I've add the log and updated the code per your suggestion(to make things simple, I removed the unnecessary obfuscations):ProxyClient.csProxyServer.cs, but still not much luck. The logging information isn't of much help to me: FiddlerCoreLogScreenCapture.png
    Other related files are also attached: ClientCaptureScreenshot.png , PcapForHttpsClient.zipPcapForHttpsServer.zip

    I had to get the job done. Appreciate for your support.

    Regards,
    Jack
Back to Top