Hello, I have a curious problem. I have written a program which uses an algorithm combining a few system variables to create a HWID, and then checks this against some code on my server. If the HWID does not match, the user is kicked out. It's a form of product registration. I am aware that Fiddler is commonly used to bypass such checks, so in curiosity I downloaded Fiddler to see if it could be used to spoof the check. Fortunately, when I loaded Fiddler and started a capture, it did not pick up the traffic. But I for sure am actually not sure why; other requests which the application sends are plainly captured. I have attached both a Wireshark capture and the Fiddler capture. The code to check the HWID is located in /license.php. Wireshark easily picks this up, but it is gone without a trace in Fiddler. So my question is: why is the traffic not being captured? I've checked the source and see no reason as to why it would not be captured.
3 Answers, 1 is accepted
0
EricLaw
Top achievements
Rank 1
Rank 1
answered on 07 Feb 2014, 05:49 AM
You're right to be concerned that this isn't a very secure way to perform a license check; since the code resides on the user's computer, they can trivially change its function in memory.
With regard to why you're not seeing this traffic in Fiddler-- assuming you don't have any filters set, this suggests that whatever mechanism you're using to send the HTTP request isn't adopting the system's proxy settings. This means, for instance, that your code would fail if run on a corporate computer that requires a proxy server to reach the Internet.
If you tell me more about your code (or provide a way to try it out) I can probably tell you how to get it captured by Fiddler. The WireShark screenshot suggests that the license check is using WinHTTP; most HTTP stacks (including WinHTTP) can be manually configured to use a given proxy (see e.g. http://www.fiddlerbook.com/fiddler/help/hookup.asp) and if the user undertook such steps, the traffic would be seen and subject to manipulation by Fiddler.
With regard to why you're not seeing this traffic in Fiddler-- assuming you don't have any filters set, this suggests that whatever mechanism you're using to send the HTTP request isn't adopting the system's proxy settings. This means, for instance, that your code would fail if run on a corporate computer that requires a proxy server to reach the Internet.
If you tell me more about your code (or provide a way to try it out) I can probably tell you how to get it captured by Fiddler. The WireShark screenshot suggests that the license check is using WinHTTP; most HTTP stacks (including WinHTTP) can be manually configured to use a given proxy (see e.g. http://www.fiddlerbook.com/fiddler/help/hookup.asp) and if the user undertook such steps, the traffic would be seen and subject to manipulation by Fiddler.
Eric
commented on 07 Feb 2014, 04:10 PM
Top achievements
Rank 1
Rank 1
Thanks for the fast reply. It's a pretty basic problem, but then again, I'm quite new at development with a client/server. It was simply ignoring fiddler's proxy settings. I did capture it in fiddler. Unfortunately it seems to be quite easy to bypass, but I have some ideas to help add some more security. It was helpful.
Wolfgan
commented on 11 Feb 2014, 09:29 PM
Top achievements
Rank 1
Rank 1
I have a related question. Trying to debug DLNA/UPNP traffic between a renderer client and Ps3MediaServer (serving http requests at port 5001, code at https://github.com/ps3mediaserver/ps3mediaserver/tree/master/src/main/java/net/pms/network) and fiddler doesn't intercept the traffic.
As this is a java base app, I tried to force traffic thru fiddler proxy according to http://www.java.com/en/download/help/proxy_setup.xml but no luck, nor via launching PMS on command line as per http://docs.telerik.com/fiddler/configure-fiddler/tasks/configurejavaapp .
I was able to capture the traffic via wireshark but it's a pain to correlate the traffic properly, so fiddler features are badly missed :-)
Any suggestion? Thx, Wolf
As this is a java base app, I tried to force traffic thru fiddler proxy according to http://www.java.com/en/download/help/proxy_setup.xml but no luck, nor via launching PMS on command line as per http://docs.telerik.com/fiddler/configure-fiddler/tasks/configurejavaapp .
I was able to capture the traffic via wireshark but it's a pain to correlate the traffic properly, so fiddler features are badly missed :-)
Any suggestion? Thx, Wolf
0
EricLaw
Top achievements
Rank 1
Rank 1
answered on 12 Feb 2014, 04:47 PM
If you're seeing the data you want in WireShark, my first suggestion would be to update to the latest version of Fiddler, then use File > Import Sessions > From Packet Capture to pull in the data and interpret it as HTTP.
Wolfgan
commented on 15 Feb 2014, 09:26 PM
Top achievements
Rank 1
Rank 1
Thanks Eric. That worked well (had to use session Save As pcap/tcpdump in wireshark as the file format by default is a ng not compatible with fiddler)
Chatting with the server developers, they indicated UMS binds to network interface directly so it can send and receive multicast packets; so that explains why the packets didn't go thru the wininet proxy.
As it worked with captured files, is there any way to feed winpcap traffic to fiddler for live analysis? (or is it planned for the future?)
Thx, Wolf
Chatting with the server developers, they indicated UMS binds to network interface directly so it can send and receive multicast packets; so that explains why the packets didn't go thru the wininet proxy.
As it worked with captured files, is there any way to feed winpcap traffic to fiddler for live analysis? (or is it planned for the future?)
Thx, Wolf
0
EricLaw
Top achievements
Rank 1
Rank 1
answered on 16 Feb 2014, 11:37 AM
Hi, Wolf! Thanks for explaining the situation. I didn't realize that Wireshark had been updated to use the NG Format by default-- do you know what version you have?
At present, there's no plan to enable live-read of PCAP traffic, as this would require a massive re-engineering of Fiddler's internals and would remain useful only for unencrypted traffic that isn't properly proxied, which remains a fairly obscure use case. However, I'll keep thinking on it.
Thanks again.
At present, there's no plan to enable live-read of PCAP traffic, as this would require a massive re-engineering of Fiddler's internals and would remain useful only for unencrypted traffic that isn't properly proxied, which remains a fairly obscure use case. However, I'll keep thinking on it.
Thanks again.