I'm not sure how to describe this with any detail. I have a JavaScript app. It works fine without Fiddler running. When I run Fiddler and enable capturing and decrypting of HTTPS, I get JavaScript errors when running the app. All the other HTTPS stuff I've tried works fine. (If I turn off HTTPS decrypting, the JavaScript app works too. So it's something related to HTTPS decrypting.
I tried another product called Charles, and the JavaScript app works fine and Charles captures and decrypts all HTTPS traffic from this JavaScript app just fine.
But I'd rather use Fiddler. But I can't figure out what the issue might be with Fiddler HTTPS decrypting.
I have already reset the Fiddler certs several times with no change. Again, all other HTTPS works and decrypts correctly.
6 Answers, 1 is accepted
Rank 1
I figured out a little more about what's happening.
The main JavaScript app makes a call to this URL to pull in additional code:
https://www.accountonline.com/svc/content/includes/fp_AA.js
For testing, I copy & pasted that URL into my browser.
With Fiddler NOT set to decrypt https, my browser pulls back the contents of that URL just fine.
With Fiddler set to decrypt https, I get a 403 Access Denied response from that site.
Also, if I set the Fiddler HTTPS to skip decryption specifically for www.accountonline.com, then things work.
I should probably also mention, I DO see the Fiddler generated cert for *.accountonline.com in my Personal certificates list. So Fiddler is generating the cert for the site.
At this point, I'm not sure it matters for me. Since I already know what the contents of that URL are (and it's always the same), I can probably move forward with my work.
But it is odd that Fiddler has an issue with this and Charles doesn't, so you may still want to look into it. I'm still happy to do any troubleshooting or testing with your guidance.
Hi Cory,
I am always happy to help in any way that I can. Although, I am not sure I fully understand the scenario. Can you confirm the following information?
1. Is the JavaScript application hosted at accountonline.com or are these different applications?
2. Are you using a custom certificate for HTTPS Decryption? If not, I recommend following the Decrypt HTTPS Traffic documentation.
3. Are the same certificates installed at accountonline.com and through Fiddler?
4. Can you provide a Session Archive of the requests giving a 403?
5. Do you have access to the web server at accountonline.com?
Once I have the above information I believe I will understand the scenario better.
In the meantime, please let me know if you need any additional information. Thank you.
Regards,
Eric R | Senior Technical Support Engineer
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Thanks for the response!
I don't see a way to edit the title on a thread, but knowing what I know now, it should really be titled something more like "HTTPS Decryption causes 403 Access Denied with www.accountonline.com." I don't think JavaScript has anything to do with it. That's just how it initially manifested, but that was the symptom, not related to the actual cause.
So, forget JavaScript.
Just do this...
- Make sure Fiddler is NOT running (or on a PC that doesn't have Fiddler installed).
- Copy this URL to your clipboard: https://www.accountonline.com/svc/content/includes/fp_AA.js
- Open your browser (I've tried MS Edge, IE 11, & Chrome).
- Paste that URL to the browser's address bar.
- You should get back an ugly looking (unformatted) page of JavaScript code (I think that's what it is) shown in your browser window.
- Close your browser.
Now, run Fiddler and enable HTTPS traffic decryption via Tools/Options, then he HTTPS tab, and the "Decrypt HTTPS traffic" option.
- Reopen your browser.
- Again, paste the above URL to the browser address bar.
- This time you should get an "Access Denied" message displayed in the browser window. If you look at the Fiddler capture for it, you should see that the response code was 403.
That's all there is to it. The content of the code is irrelevant (I think). It's simply the issue that the site responds with a 403 error when Fiddler HTTPS decryption is enabled.
But to answer your questions...
- The original JavaScript app is NOT hosted at accountonline.com. They are separate apps. The original JavaScript app calls and uses code from accounonline.com. Since the original app gets the invalid resonse from accountonline.com, the original app errors out. But again, since I can duplicate this just in a regular browser, it's not anything to do with the JavaScript app after all.
- No custom certs. The only thing I've done is to enable Fiddler's HTTPS decryption exactly using the steps in the "Decrypt HTTPS Traffic" link you provided.
- I don't know what certs are installed at accountonline.com. It's not a server I have any access to or control over. (See question 5.) The only certs on my computer are the certs that Fiddler itself automatically generates. (And I have installed the Fiddler root cert on my PC as a trusted root.)
- I created a session archive, but I'm unable to attach it. When I try to attach the .saz file to this post, I get an error that the only allowed file types are .jpg, .jpeg, .gif, or .png. If you can tell me how to attach or upload the .saz file, I'll be happy to. That said, you should be able to easily recreate this yourself using my above instructions.
- I do not have any access to the www.accountonline.com web server. It actually belongs to CitiBank. (And no, I don't work for Citi.)
Thank you again.
Hi Cory,
Thank you for the detailed information. It is very helpful. Although in this case, I don't think the issue is related to Fiddler. Let me briefly explain below.
Explanation
Since the accountonline.com web server is owned by another company and is also a bank they have most likely implemented security measures blocking Man-in-the-Middle attacks which Fiddler uses to debug traffic. One example of this is Certificate Pinning.
More specifically, when Fiddler Decrypts HTTPS the server is asked to trust the Fiddler Root Certificate and if Certificate Pinning is in-place then it will block access. In this scenario, Fiddler will not work or solve any issues.
Recommendation
Generally, if companies want to provide their services to third-party applications they also provide developer API's that make this possible. I recommend asking the company that owns the service if they offer any 3rd-party API's or SDK's to work with their service.
In the meantime, please let me know if you need any additional information. Thank you for using the Fiddler forums.
Regards,
Eric R | Senior Technical Support Engineer
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Rank 1
Thank you for your help and explanation. As I mentioned in an earlier post, this is no longer an obstacle for what I'm doing, so it really doesn't matter to me, and I can do the rest of what I need with Fiddler.
I only repeat that another proxy software, Charles Proxy, https://www.charlesproxy.com/, IS able to handle this situation and decrypt the traffic for www.accountonline.com. Attached is a screen shot showing this.
So at this point I only mention it if you want to look into matching functionality with a competing product.
Hi Cory,
Thank you for the feedback. We really appreciate it. I will definitely take this back to the team and we will investigate.
Additionally, if you would like to try out the newest Fiddler version, Fiddler Everywhere, it can be found at https://www.telerik.com/fiddler-everywhere/insiders
Currently, Fiddler Everywhere is in Beta but should be released soon. If you are willing, we would appreciate any feedback there as well.
In the meantime, please let me know if you need any additional information. Thank you again for being a valued Fiddler user.
Regards,
Eric R | Senior Technical Support Engineer
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.