Hello,
In FiddlerScript I am setting x-no-decrypt, and I want to kill the connection after a single request has been sent and its response received. The app that I'm proxying traffic for will then reconnect to re-establish its connection, and, this time round, I don't want to set x-no-decrypt.
How do I do this?
The background is that I'm security auditing an app where the code looks like this:
// connect to HTTPS server
// GET /hello
// check the HTTPS certificate of the server and if it isn't this hard-coded one then throw an exception
// POST /login?username=foo&password=bar
I suspect, and want to demonstrably prove, that the networking library that the app is using will try to be helpful and reconnect the HTTPS connection if it is dropped after the response from the GET is successfully received and before the POST is made. This essentially means that the server certificate check against a hard-coded one is useless, and I want to prove this using Fiddler.
Thanks!
David
In FiddlerScript I am setting x-no-decrypt, and I want to kill the connection after a single request has been sent and its response received. The app that I'm proxying traffic for will then reconnect to re-establish its connection, and, this time round, I don't want to set x-no-decrypt.
How do I do this?
The background is that I'm security auditing an app where the code looks like this:
// connect to HTTPS server
// GET /hello
// check the HTTPS certificate of the server and if it isn't this hard-coded one then throw an exception
// POST /login?username=foo&password=bar
I suspect, and want to demonstrably prove, that the networking library that the app is using will try to be helpful and reconnect the HTTPS connection if it is dropped after the response from the GET is successfully received and before the POST is made. This essentially means that the server certificate check against a hard-coded one is useless, and I want to prove this using Fiddler.
Thanks!
David
1 Answer, 1 is accepted
0
You can't really do that. When you set x-no-decrypt, you're creating a blind tunnel whose octets are encrypted in both direction. You can't look at encrypted octets and know what they represent.
In theory you could try to guess when the request is done based on timing, and when the response is done based on timing, but this would be, at best, a guess.
It would probably be simpler to just have your client talk to a server you control, and configure the server to drop the connection after the first request.
Alternatively, you could configure your client application to look for Fiddler's root certificate; respond to the first request with Fiddler and let the second request go through to the real server and see whether the client complains about the "wrong" certificate.
Regards,
Eric Lawrence
Telerik
In theory you could try to guess when the request is done based on timing, and when the response is done based on timing, but this would be, at best, a guess.
It would probably be simpler to just have your client talk to a server you control, and configure the server to drop the connection after the first request.
Alternatively, you could configure your client application to look for Fiddler's root certificate; respond to the first request with Fiddler and let the second request go through to the real server and see whether the client complains about the "wrong" certificate.
Regards,
Eric Lawrence
Telerik
Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.