Fiddler modifies outgoing traffic (specifically digest auth. requests) from Internet Explorer 11

3 posts, 0 answers
  1. DB
    DB avatar
    2 posts
    Member since:
    Jan 2018

    Posted 07 Aug Link to this post

    I've encountered an interesting problem when trying to debug digest authentication in my company's application using Internet Explorer 11 (11.0.9600.19377 on Windows 7 64-bit) with Fiddler (v5.0.20192.25091). It seems that with Fiddler running and capturing traffic, the behaviour of IE11 is actually different, suggesting that Fiddler is modifying the outgoing traffic before it hits the server.

    To give a bit of context, using Chrome and Firefox (with or without Fiddler running) I'm finding that the digest auth. process works entirely as expected:

    1. Client sends a GET request without an authorisation header to a protected URL.
    2. Server responds with 401, including a nonce and realm.
    3. Client prompts user for username & password.
    4. Client sends a secondary GET request to the same URL, including a full authorisation header (username, password, nonce & realm).
    5. The server responds with 200.

    When using IE11 without Fiddler, the process is incorrect – I've been able to analyse this by using Wireshark:

    1. Client sends a GET request without an authorisation header to a protected URL.
    2. Server responds with 401, including a nonce and realm.
    3. Client prompts user for username & password.
    4. Client repeats step (1), causing a loop. The client is therefore unable to authenticate.

    However, when using IE11 with Fiddler running and capturing traffic, the browser behaves differently (following the same process as Chrome and Firefox) and actually works correctly. My understanding was that Fiddler is completely transparent (capturing all WinINET traffic without modification) so that leaves me with a few questions:

    • What processing does Fiddler apply to requests before passing them to the server?
    • Is there an option to bypass this processing so that I can analyse the 'raw' requests?
    • Alternatively, does Fiddler do anything specifically to modify the browser behaviour while it is capturing traffic?
  2. Eric R | Technical Support Engineer
    Admin
    Eric R | Technical Support Engineer avatar
    230 posts

    Posted 09 Aug Link to this post

    Hi DB,

    This appears to be common in Internet Explorer (IE) going all the way back to IE8. See the Digest Authentication not Working on IE8 where FireFox and Chrome are Fine StackOverflow thread for more information. This supports the provided observations with Fiddler and IEWith that said, let me provide answers to the questions below. 

    1. - Using the default settings, Fiddler registers itself as the system proxy and all HTTP requests from WinINET go through Fiddler prior to reaching the target Web Server. See more details about this in the Fiddler Proxy documentation.

    2. - After selecting a session in the Session List select the Raw tab in the upper right window pane to see the request raw data. 

    3. - By default Fiddler won't modify the traffic unless a custom script is used to Modify a Request or Response

    Please let me know if you need any additional information. Thank you for using the Fiddler Forums.

    Regards,

    Eric R | Technical Support Engineer
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. DB
    DB avatar
    2 posts
    Member since:
    Jan 2018

    Posted 15 Aug in reply to Eric R | Technical Support Engineer Link to this post

    Hi Eric,

    Thanks for your quick reply. I actually came across the same Stack Overflow thread while Googling the problem, but my observations don't match up exactly with what users are describing there – I don't believe anyone in that thread specifically acknowledges that running Fiddler (or any other sniffer) causes the correct sequence of events to occur.

    I will do some more testing with the information you provided in mind. Ultimately I think the server-side code will need modifying to handle this correctly, but I thought it was an interesting observation that Fiddler seems to 'trick' IE into doing the correct thing.
Back to Top