How do I prevent fiddler from insering "Host" HTTP header?

6 posts, 0 answers
  1. Larry Hastings
    Larry Hastings avatar
    10 posts
    Member since:
    May 2006

    Posted 20 May 2014 Link to this post

    Hello,

    I want to use Fiddler to utilize HTTP/1.0 functionality which do not support "Host" header. Yet if I put http://10.10.10.10/ into Request Builder and choose "HTTP/1.0" from menu, it still puts "Host" header in. I want request coming out without that header at all. How do I do that?
  2. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 22 May 2014 Link to this post

    Hello,

    Per the RFC, as a HTTP/1.1 proxy, Fiddler is required to add a Host header.

    It's not clear why this is problematic-- any server that has a problem with this is, by definition, buggy and should be fixed.

    You can remove the header if you'd like (although doing so can cause problems elsewhere). Click Rules > Customize Rules. Scroll to OnBeforeRequest and add the following:

      if (oSession.oRequest.headers.HTTPVersion == "HTTP/1.0")
      {
        oSession["x-overridehost"] = oSession.host;
        oSession.oRequest.headers.Remove("Host");
      }


    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  3. Larry Hastings
    Larry Hastings avatar
    10 posts
    Member since:
    May 2006

    Posted 22 May 2014 in reply to Eric Lawrence Link to this post

    Correct. "Per RFC HTTP 1.1".
    I'm submitting request with HTTP 1.0, so this shall allow (and require) not to submit this header.
  4. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 22 May 2014 Link to this post

    Hi, Larry--

    Alas, it doesn't work like that. A HTTP/1.1 proxy doesn't get to pretend to be a HTTP/1.0 proxy.

    The lack of the Host header was a huge deficiency in the HTTP/1.0 spec which was corrected in RFC2068, which aggressively pushed for updates to even HTTP/1.0 clients.

    Regards,
    Eric Lawrence
    Telerik
     

    Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

     
  5. Larry Hastings
    Larry Hastings avatar
    10 posts
    Member since:
    May 2006

    Posted 22 May 2014 in reply to Eric Lawrence Link to this post

    I don't understand, Fiddler is in fact using HTTP 1.0 when I use Composer and specify HTTP 1.0 as transport, so by using HTTP 1.0 and using "Host" header at the same time is violation of RFC for HTTP 1.0
  6. Larry Hastings
    Larry Hastings avatar
    10 posts
    Member since:
    May 2006

    Posted 22 May 2014 Link to this post

    The reason I need Fiddler not to perform this way becouse I try to use it to find "vulnerability" in IIS where it will expose internal server IP address when IIS being quiried by HTTP/1.0 
    You can see this in action on Telerik website for example. I do it via Wfetch tool which I had to spend a lot of time finding since Fiddler so far completly replace my need for HTTP debugger except for this obscure situation where "Host" header is being sent even with HTTP/1.0 request.

    GET /images HTTP/1.0\r\n
    \r\n
    \r\n
    RESPONSE: **************\nHTTP/1.1 301 Moved Permanently\r\n
    Content-Type: text/html; charset=UTF-8\r\n
    Location: http://172.16.81.105/images/\r\n
    Server: Microsoft-IIS/7.5\r\n
    Date: Thu, 22 May 2014 19:03:51 GMT\r\n
    Connection: close\r\n
    Content-Length: 151\r\n
    \r\n
    <head><title>Document Moved</title></head>\n<body><h1>Object Moved</h1>This document may be found <a HREF="http://172.16.81.105/images/">here</a></body>WWWConnect::Close("www.telerik.com","80")\nclosed source port: 38146\r\n
Back to Top