What’s New in Fiddler 4.5.1

Coming hot on the heels of the Fiddler 4.5 release a few weeks ago, Fiddler 4.5.1 is now available for download. The new release contains a few small features and some important bug fixes, so please upgrade as soon as possible.

Sidebar: Fiddler v4.x vs. Fiddler v2.x

Before we get into what’s new, I’d like to answer a common question: “What’s the difference between Fiddler 2.5 and Fiddler 4.5?”

The code in Fiddler 2 and Fiddler 4 is more than 99% common, just conditionally compiled such that Fiddler 2 targets the .NET 2 CLR  and Fiddler 4 targets the .NET 4 CLR. In general, you should prefer to run Fiddler 4, and it is likely that Fiddler 2 will be retired in a year or two.

So, if the code is 99% the same, what’s different?

• Fiddler 4 utilizes the more efficient ReaderWriterLockSlim synchronization objects for better parallelism.
• When run with the latest .NET 4.5.2 Framework, Fiddler 4’s garbage collection can compact the Large Object Heap (LOH) where most Fiddler Sessions end up. In Fiddler 2, even after you clear your Web Sessions list, you may observe that Fiddler has hundreds of megabytes allocated to it (because the LOH isn’t compactable on .NET2); while the operating system’s memory manager swaps as needed, the .NET 4 improvement is welcome.
• When run on Windows 7 and later, Fiddler 4 can use the TLS 1.1 and TLS 1.2 protocols when communicating with secure servers; simply enable these protocols inside Tools > Fiddler Options > HTTPS > Enabled Protocols. This is an especially important improvement as some servers now require TLS1.1 or later.
• When run on the latest .NET 4.5.2 Framework, Fiddler 4 can connect to servers misconfigured to send unrecognized_name TLS alerts (described below).

With that out of the way, let’s see what’s new in Fiddler 4.5.1…

ContextAction and ToolsAction Submenus

Within FiddlerScript (Rules > Customize Rules), the ToolsAction and ContextAction attributes now enable you to create new submenus:

To do so, simply specify the name of the submenu as a second parameter to the attribute:

  public static ToolsAction("ColorPicker", "&Utilities")
  function doColorPicker()
  {              
    var oCD = new ColorDialog();      
    oCD.Color = Utilities.ParseColor("Blue");
    oCD.FullOpen = true;
    if (DialogResult.OK == oCD.ShowDialog())
    {
      FiddlerApplication.Log.LogFormat("Selected color: #{0:x2}{1:x2}{2:x2}",
         oCD.Color.R, oCD.Color.G, oCD.Color.B)
      UI.ActivateView("Log");
    }
    oCD.Dispose();
  }

You can also specify both a ToolsAction and a ContextAction on the same function to expose it on both the Tools menu and the Web Sessions context menu.

For instance, maybe you’d like the ability to rate Sessions using one to four stars. Add the following script:

  public static ToolsAction("★☆☆☆", "Star") ContextAction("★☆☆☆", "Star")
  function do1(arrSess: Session[]) {  doStar(arrSess, 1); }

  public static ToolsAction("★★☆☆", "Star") ContextAction("★★☆☆", "Star")
  function do2(arrSess: Session[]) { doStar(arrSess, 2); }

  public static ToolsAction("★★★☆", "Star") ContextAction("★★★☆", "Star")
  function do3(arrSess: Session[]) { doStar(arrSess, 3); }

  public static ToolsAction("★★★★", "Star") ContextAction("★★★★", "Star")
  function do4(arrSess: Session[]) { doStar(arrSess, 4); }

  public static function doStar(arrSess: Session[], iCount: Int32) {
    var sStar: String = "";
    for (var iX = 0; iX < 4; iX++) {
        sStar = sStar + ((iX < iCount)? "★" : "☆");
    }

    for (var i = 0; i<arrSess.Length; i++) {
        arrSess[i]["ui-star"] = sStar;
        arrSess[i].RefreshUI();
    }
  }

To generate the following submenu:

You can then add a column to show the stars using the Customize Columns command or using the following line in your script’s Main function:

  UI.lvSessions.AddBoundColumn("Stars", 100, "ui-star");

The new column will render the value of each Session’s new ui-star flag:

Improved Retargeting

Fiddler offers many different ways to retarget traffic from one host to another; all of these fall into one of three categories: Reroute, Rewrite or Redirect:

• A reroute operation simply sends traffic to the new IP:port without changing the request in any way
• A rewrite operation rewrites the URL and Host header to point to the new target
• a redirect operation fakes a response from the original target and returns a HTTP/307 pointed at the new target

Previously, Fiddler’s Tools > HOSTS… command only offered the ability to reroute traffic. Now, an optional third parameter allows you to instead specify that matching traffic should be rewritten or redirected.

It is easy to experiment with these new options.

Click Tools > HOSTS… and click the checkbox to enable remapping. In the box below, add your rules; for example:

  #Test Redirect rule with wildcard source
  bayden.com    *exredir.com    redirect

  #Test Reroute rule
  bayden.com    exreroute.com    reroute

  #Test Rewrite rule
  bayden.com    exrewrite.com    rewrite

  #test unspecified rule (will reroute)
  bayden.com    ex.com

Click Ok, and observe the behavior in Fiddler and your browser when you visit https://www.exredir.com/echo.aspx, https://exreroute.com/echo.aspx, and https://exrewrite.com/echo.aspx.

SNI Hack

Back in 2012, I received the first reports of problems where Fiddler was unable to connect to certain HTTPS servers; the browsers would work fine but the connection would time out when Fiddler was in use. The problem turned out to be that the servers were misconfigured and sending an unrecognized_name TLS Warning alert; the .NET Framework’s SslStream hangs if this alert was received before the handshake. This problem appears to have been resolved in the latest (e.g. 4.5.2) version of the .NET Framework, but this won’t help users who are using Fiddler 2 with .NET2. Unfortunately, the workaround I suggested at the time (configure connections to the affected servers to use Ssl3) is no longer workable as many servers have disabled Ssl3 due to the POODLE attack.

To resolve this, Fiddler 2.5.1 supports a new Session flag (https-DropSNIAlerts) which can be used to accommodate buggy servers. Inside Rules > Customize Rules > OnBeforeRequest, add

  if (oSession.HTTPMethodIs("CONNECT") && oSession.HostnameIs("BuggySite.com"))
  {
    oSession["https-DropSNIAlerts"] = "yup";
    FiddlerApplication.Log.LogString("Legacy compat applied for request to BuggySite.com");
  }

This option configures Fiddler to watch the network stream to the server; if an unrecognized_name alert is seen, Fiddler will discard its bytes. Because this alert occurs before encryption is established, this modification is not detected and does not break the channel.

If you’d like, you can set the fiddler.network.https.DropSNIAlerts preference to true to apply this mitigation to all HTTPS connections.

Support for Microsoft Project Spartan

The new Fiddler version recognizes the Project Spartan executables as browser processes, such that the “Web Browsers” filter in the status bar at the bottom of the window will show Project Spartan’s traffic, and the Browse toolbar button offers a Spartan entry in the dropdown.

Note: Presently, Project Spartan does not properly respect changes to the system proxy setting. As a consequence, you may need to restart the browser after attaching or detaching Fiddler as the system proxy.

Assorted Changes

Here’s a partial list of other changes introduced with the latest build:

• A performance and robustness fix was introduced to handle scenarios where a server sends an improperly terminated Transfer-Encoding: chunked response; Fiddler will now alert on the error and propagate the connection closure to the client.
• The Session object now includes RequestHeaders and ResponseHeaders properties, which return the oRequest.headers and oResponse.headers objects respectively. If either object is missing, an empty headers object is returned.
• The Session object now includes a new LocalProcess property which contains the value of the X-ProcessInfo flag, or String.Empty if the flag does not exist.
• When two Sessions are selected in the Web Sessions list, the Properties command on the context menu is now enabled; if you invoke it, the two Sessions’ Properties windows will be opened side-by-side for ease of comparison.
• Several minor vulnerability mitigations were introduced.
• Several annoying bugs were fixed.

FiddlerCore

FiddlerCore has been updated to version 4.5.1; the new build includes the core engine improvements described above, and all FiddlerCore hosters should upgrade to the latest build as soon as possible.

Please report any problems using the Send Feedback command on Fiddler’s Help menu. Thank you for your support!

-Eric Lawrence