This is a migrated thread and some comments may be shown as answers.

How do I kill a HTTPS x-no-decrypt connection after a single request has been sent and its response received

1 Answer 118 Views
Extensions and Customization
This is a migrated thread and some comments may be shown as answers.
David
Top achievements
Rank 1
David asked on 06 Oct 2014, 11:13 PM
Hello,

In FiddlerScript I am setting x-no-decrypt, and I want to kill the connection after a single request has been sent and its response received.  The app that I'm proxying traffic for will then reconnect to re-establish its connection, and, this time round, I don't want to set x-no-decrypt.

How do I do this?

The background is that I'm security auditing an app where the code looks like this:

// connect to HTTPS server
// GET /hello
// check the HTTPS certificate of the server and if it isn't this hard-coded one then throw an exception
// POST /login?username=foo&password=bar

I suspect, and want to demonstrably prove, that the networking library that the app is using will try to be helpful and reconnect the HTTPS connection if it is dropped after the response from the GET is successfully received and before the POST is made.  This essentially means that the server certificate check against a hard-coded one is useless, and I want to prove this using Fiddler.

Thanks!

David

1 Answer, 1 is accepted

Sort by
0
Eric Lawrence
Telerik team
answered on 07 Oct 2014, 08:52 PM
You can't really do that. When you set x-no-decrypt, you're creating a blind tunnel whose octets are encrypted in both direction. You can't look at encrypted octets and know what they represent.

In theory you could try to guess when the request is done based on timing, and when the response is done based on timing, but this would be, at best, a guess.

It would probably be simpler to just have your client talk to a server you control, and configure the server to drop the connection after the first request.

Alternatively, you could configure your client application to look for Fiddler's root certificate; respond to the first request with Fiddler and let the second request go through to the real server and see whether the client complains about the "wrong" certificate.

Regards,
Eric Lawrence
Telerik
 

Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

 
Tags
Extensions and Customization
Asked by
David
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
Share this question
or