This is a migrated thread and some comments may be shown as answers.

How do I prevent fiddler from insering "Host" HTTP header?

5 Answers 341 Views
Fiddler Classic
This is a migrated thread and some comments may be shown as answers.
Gregory
Top achievements
Rank 1
Gregory asked on 21 May 2014, 02:01 AM
Hello,

I want to use Fiddler to utilize HTTP/1.0 functionality which do not support "Host" header. Yet if I put http://10.10.10.10/ into Request Builder and choose "HTTP/1.0" from menu, it still puts "Host" header in. I want request coming out without that header at all. How do I do that?

5 Answers, 1 is accepted

Sort by
0
Eric Lawrence
Telerik team
answered on 22 May 2014, 06:39 PM
Hello,

Per the RFC, as a HTTP/1.1 proxy, Fiddler is required to add a Host header.

It's not clear why this is problematic-- any server that has a problem with this is, by definition, buggy and should be fixed.

You can remove the header if you'd like (although doing so can cause problems elsewhere). Click Rules > Customize Rules. Scroll to OnBeforeRequest and add the following:

  if (oSession.oRequest.headers.HTTPVersion == "HTTP/1.0")
  {
    oSession["x-overridehost"] = oSession.host;
    oSession.oRequest.headers.Remove("Host");
  }


Regards,
Eric Lawrence
Telerik
 

Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

 
0
Gregory
Top achievements
Rank 1
answered on 22 May 2014, 06:41 PM
Correct. "Per RFC HTTP 1.1".
I'm submitting request with HTTP 1.0, so this shall allow (and require) not to submit this header.
0
Eric Lawrence
Telerik team
answered on 22 May 2014, 06:53 PM
Hi, Larry--

Alas, it doesn't work like that. A HTTP/1.1 proxy doesn't get to pretend to be a HTTP/1.0 proxy.

The lack of the Host header was a huge deficiency in the HTTP/1.0 spec which was corrected in RFC2068, which aggressively pushed for updates to even HTTP/1.0 clients.

Regards,
Eric Lawrence
Telerik
 

Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

 
0
Gregory
Top achievements
Rank 1
answered on 22 May 2014, 06:56 PM
I don't understand, Fiddler is in fact using HTTP 1.0 when I use Composer and specify HTTP 1.0 as transport, so by using HTTP 1.0 and using "Host" header at the same time is violation of RFC for HTTP 1.0
0
Gregory
Top achievements
Rank 1
answered on 22 May 2014, 07:06 PM
The reason I need Fiddler not to perform this way becouse I try to use it to find "vulnerability" in IIS where it will expose internal server IP address when IIS being quiried by HTTP/1.0 
You can see this in action on Telerik website for example. I do it via Wfetch tool which I had to spend a lot of time finding since Fiddler so far completly replace my need for HTTP debugger except for this obscure situation where "Host" header is being sent even with HTTP/1.0 request.

GET /images HTTP/1.0\r\n
\r\n
\r\n
RESPONSE: **************\nHTTP/1.1 301 Moved Permanently\r\n
Content-Type: text/html; charset=UTF-8\r\n
Location: http://172.16.81.105/images/\r\n
Server: Microsoft-IIS/7.5\r\n
Date: Thu, 22 May 2014 19:03:51 GMT\r\n
Connection: close\r\n
Content-Length: 151\r\n
\r\n
<head><title>Document Moved</title></head>\n<body><h1>Object Moved</h1>This document may be found <a HREF="http://172.16.81.105/images/">here</a></body>WWWConnect::Close("www.telerik.com","80")\nclosed source port: 38146\r\n
Tags
Fiddler Classic
Asked by
Gregory
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
Gregory
Top achievements
Rank 1
Share this question
or