Hello,
I want to use Fiddler to utilize HTTP/1.0 functionality which do not support "Host" header. Yet if I put http://10.10.10.10/ into Request Builder and choose "HTTP/1.0" from menu, it still puts "Host" header in. I want request coming out without that header at all. How do I do that?
I want to use Fiddler to utilize HTTP/1.0 functionality which do not support "Host" header. Yet if I put http://10.10.10.10/ into Request Builder and choose "HTTP/1.0" from menu, it still puts "Host" header in. I want request coming out without that header at all. How do I do that?
5 Answers, 1 is accepted
0
Hello,
Per the RFC, as a HTTP/1.1 proxy, Fiddler is required to add a Host header.
It's not clear why this is problematic-- any server that has a problem with this is, by definition, buggy and should be fixed.
You can remove the header if you'd like (although doing so can cause problems elsewhere). Click Rules > Customize Rules. Scroll to OnBeforeRequest and add the following:
if (oSession.oRequest.headers.HTTPVersion == "HTTP/1.0")
{
oSession["x-overridehost"] = oSession.host;
oSession.oRequest.headers.Remove("Host");
}
Regards,
Eric Lawrence
Telerik
Per the RFC, as a HTTP/1.1 proxy, Fiddler is required to add a Host header.
It's not clear why this is problematic-- any server that has a problem with this is, by definition, buggy and should be fixed.
You can remove the header if you'd like (although doing so can cause problems elsewhere). Click Rules > Customize Rules. Scroll to OnBeforeRequest and add the following:
if (oSession.oRequest.headers.HTTPVersion == "HTTP/1.0")
{
oSession["x-overridehost"] = oSession.host;
oSession.oRequest.headers.Remove("Host");
}
Regards,
Eric Lawrence
Telerik
Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.
0
Gregory
Top achievements
Rank 1
Rank 1
answered on 22 May 2014, 06:41 PM
Correct. "Per RFC HTTP 1.1".
I'm submitting request with HTTP 1.0, so this shall allow (and require) not to submit this header.
I'm submitting request with HTTP 1.0, so this shall allow (and require) not to submit this header.
0
Hi, Larry--
Alas, it doesn't work like that. A HTTP/1.1 proxy doesn't get to pretend to be a HTTP/1.0 proxy.
The lack of the Host header was a huge deficiency in the HTTP/1.0 spec which was corrected in RFC2068, which aggressively pushed for updates to even HTTP/1.0 clients.
Regards,
Eric Lawrence
Telerik
Alas, it doesn't work like that. A HTTP/1.1 proxy doesn't get to pretend to be a HTTP/1.0 proxy.
The lack of the Host header was a huge deficiency in the HTTP/1.0 spec which was corrected in RFC2068, which aggressively pushed for updates to even HTTP/1.0 clients.
Regards,
Eric Lawrence
Telerik
Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.
0
Gregory
Top achievements
Rank 1
Rank 1
answered on 22 May 2014, 06:56 PM
I don't understand, Fiddler is in fact using HTTP 1.0 when I use Composer and specify HTTP 1.0 as transport, so by using HTTP 1.0 and using "Host" header at the same time is violation of RFC for HTTP 1.0
0
Gregory
Top achievements
Rank 1
Rank 1
answered on 22 May 2014, 07:06 PM
The reason I need Fiddler not to perform this way becouse I try to use it to find "vulnerability" in IIS where it will expose internal server IP address when IIS being quiried by HTTP/1.0
You can see this in action on Telerik website for example. I do it via Wfetch tool which I had to spend a lot of time finding since Fiddler so far completly replace my need for HTTP debugger except for this obscure situation where "Host" header is being sent even with HTTP/1.0 request.
GET /images HTTP/1.0\r\n
\r\n
\r\n
RESPONSE: **************\nHTTP/1.1 301 Moved Permanently\r\n
Content-Type: text/html; charset=UTF-8\r\n
Location: http://172.16.81.105/images/\r\n
Server: Microsoft-IIS/7.5\r\n
Date: Thu, 22 May 2014 19:03:51 GMT\r\n
Connection: close\r\n
Content-Length: 151\r\n
\r\n
<head><title>Document Moved</title></head>\n<body><h1>Object Moved</h1>This document may be found <a HREF="http://172.16.81.105/images/">here</a></body>WWWConnect::Close("www.telerik.com","80")\nclosed source port: 38146\r\n
You can see this in action on Telerik website for example. I do it via Wfetch tool which I had to spend a lot of time finding since Fiddler so far completly replace my need for HTTP debugger except for this obscure situation where "Host" header is being sent even with HTTP/1.0 request.
GET /images HTTP/1.0\r\n
\r\n
\r\n
RESPONSE: **************\nHTTP/1.1 301 Moved Permanently\r\n
Content-Type: text/html; charset=UTF-8\r\n
Location: http://172.16.81.105/images/\r\n
Server: Microsoft-IIS/7.5\r\n
Date: Thu, 22 May 2014 19:03:51 GMT\r\n
Connection: close\r\n
Content-Length: 151\r\n
\r\n
<head><title>Document Moved</title></head>\n<body><h1>Object Moved</h1>This document may be found <a HREF="http://172.16.81.105/images/">here</a></body>WWWConnect::Close("www.telerik.com","80")\nclosed source port: 38146\r\n