Since more and more websites enforce you to use tls 1.2 (and don't support tls 1.0 any more), I suggest that the list of protocols is automatically extended with tls1.2 by a next fiddler update - or at least there should be a single-time question box with Yes-No-Cancel to extend it.
Also see reference at https://www.telerik.com/forums/some-https-sites-are-unaccessible-when-using-fiddler
Fiddler is great but the composer tab really needs some love. For example, it could do with text manipulation features from other applications - double click selects a chunk of text, but it doesn't appear to be aware of common symbols like : ? # " ' ; etc, instead it highlights up to the next space. If i were to do this in vs code or notepad++ it would be more intelligent about delimiters and highlight the portion before the : or inside the " ".
Pressing tab inside the editors moves to the next editor - this seems counter intuitive in this context as you'd expect the editor to insert a tab rather than move you to another field.
I've been using fiddler for years and this has always bugged me. I normally edit the request in another application and paste it in, but it'd be great if i could do some basic editing in fiddler itself. It shouldn't be full ide-mode, but a little bit of help would be appreciated.
Simple things that would make this much better:
It would be really great to be able to view requests and responses as a formatted json string. Currently, you can show JSON, which uses some tree format, and you can show raw, which is just a flat hard to use string.
It would also be great to be able to format json inside the request composer so it can be easy to modify.
Today, Fiddler's AutoResponder only automatically replies to a HTTPS CONNECT with a HTTP/200 OK if the capture contains such a response, or if the "Unmatched requests passthrough" box is unchecked. Otherwise, the CONNECT request will pass or fail based on whether the real server is reachable.
This is confusing, and almost never what the user really wants to have happen.
We should add a new checkbox to the AutoResponder titled "Accept all CONNECTs" that when checked, sets a hidden rule equivalent to this rule which can be created manually
Otherwise, users will be sad when AutoResponder doesn't do what they hope, and they'll wonder why they are getting ERR_TUNNEL_CONNECTION_FAILED error messages in their browser when they have AutoResponder rules for HTTPS requests that they expect to fire.
I am getting the following error in fiddler and without Capture HTTPS CONNECTs it works, also in the Protocols I have enabled: <client>;ssl2;ssl3;tls1.0;tls1.1;tls1.2
fiddler.network.https> HTTPS handshake to <domain> (for #6) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < The message received was unexpected or badly formatted
Win32 (SChannel) Native Error Code: 0x80090326
[Edited by Telerik Staff to remove personal information and convert to bug report]
This is a copy of Fiddler's new Feedback Portal not working properly submitted to the Fiddler groups forum:
I have submitted probably a dozen or two bugs to the Fiddler Feedback portal https://fiddler.ideas.aha.io/ideas . Fiddler recently changed the feedback portal software and attempted to import all existing bugs. The import was not done properly. Every bug I reported the old links do not redirect to the imported reports. If I search for a report by title only arbitrary comments of the reports are included. There are no screenshots or attachments. Also I cannot login to the portal with my yahoo account, it says "Oh, no! Something's not right, but we're sorting it out." I was able to salvage some of what I reported from screenshots of the old site but I don't remember all of what I reported. Please retry the import so what users reported remains open for discussion and fixing. One particular bug is really a nuisance and hasn't been fixed when I have one session open raw in inspector and I click on another session I have to wait a long time. I don't remember what bug I filed over it but I know I filed something.
(Since the original post I have been able to login with my yahoo account. It does not show any bugs for my e-mail and they're still broken missing content and comments as "Imported User")
Running into more and more issues where the end user are authenticating via a smartcard. If the issue is after the initial handshake then we may be able to turn on Fiddler after the authentication and everything is okay. If the issue is specifically to do with the authentication or authentication screens then we are stuck and have no tool to use to debug the issue, especially when it may involve multiple processes.
With appropriate new settings in the Fiddler Options, could the socket connection on a TLS send certificate challenge call the appropriate API to use the SmartCard reader as well as challenge for a pin/biometric instead of reading from a certificate.cer file?
Websocket monitoring is such a cool feature in fiddler. What i´m missing is the possibility to export all messages sent and received via the websocket.
In Wireshark i would associate that functionality with "Follow TCP stream".
The reason behind:
I want to search within the websocket communication for certain id´s patterns etc. This is currently not possible as every message is handled separately in fiddler.
What i would expect:
Beeing able to export selected or all messages in the WebSocket pane. (one could think of adding "received","sent" and a timestamp between the messages with a certain beginning to be able to filter those messages later.)
I would call the fact that:
- "Save" - "Selected Sessions" "as Text or ZIP" is only saving the websocket HTTP upgrade request together with the response but without the websockets payload
Or i am missing something. Comments welcome...
My windows DPI scaling is set to 200%, as my resolutions to 2000x3000.
If I load fiddler normally, I see the following blurry text.
So i saw this bug report, https://feedback.telerik.com/fiddler/1361354-hope-the-fiddler-can-support-the-high-dpi-screen which suggested to load up fiddler with -dpiaware, and now some text is better, but most of the tabs and buttons are incorrect sizes in the composer. In my opinion its more usable with the blurry text. I also tried to change the Fiddler.exe.config - EnableWindowsFormsHighDpiAutoResizing from true to false, but the only affect this had was to change the size of the mouse cursor.
Any ideas on something else to try, or is this a limitation of Fiddler / .Net WinForms.
It's incredibly an annoying prompt that occurs every. single. time. i open up fiddler.
Check for updates behind the scenes if an update exists and only let me know when an update exists
I have a connectivity issue when I run Fiddler (Progress Telerik Fiddler Web Debugger). I work behind a corporate proxy server and the server IP is changed every few hours. The change in IP is normally okay, but when I am running Fiddler with the 'Automatically Authenticate' option enabled, then Fiddler shows an error every time the proxy is changed; it shows a yellow error message suggesting "The system proxy was changed. Click to reenable capturing".
Clicking on the error in Fiddler works fine and it reconnects, but I find this frustrating because if i don't realise there was an error in fiddler and don't click it immediately then it affects my connectivity and some activities on my pc start to fail without me realising.
My suggestion is that you should let Fiddler auto-reconnect when this type of proxy change happens and when the 'Automatically Authenticate' option is enabled. I know it can't try to reconnect forever because it will cause an endless cycle for other people who have other types of proxy disconnects, but in my case it would be very helpful to let fiddler at least try once to auto reconnect (for me 1 retry is usually fine and Fiddler is able to connect to the new proxy address, but perhaps you can let the number of retries be a menu option so that users can set the number of retries that they want Fiddler to do after there was a proxy change or proxy error).
Thanks so much for your work, I really like Fiddler!
I hope you can bug fix this or add it as a feature, it will be very helpful!
(Some blocking rules are not shown)
When I use the "filter now" function, it does not filter properly.
Prior to this, I used the "Filters" feature, but there was always a link that was not blocked.(this url: https://watson.telemetry.microsoft.com/Telemetry.Request )
With the "Filters" function turned on, I used the "Filter now" function several times to block this link, but the result was only blocked at that time, and then came out again.
Now I turn off the "Filters" function, and then use "Filter now" to block that link. As a result, the blocking rule is not displayed in the lower left corner. Other blocking rules can be displayed normally.
Some responses can not be shown in fiddler,for example,i am analysising the package of 植物大战僵尸2(pvz2) for ios.it shows "400 .net error response headers...",but other app like burpsuite can deal with it well...
so i've to set the proxy of iphone to "192.168.1.2:8080" and the gateway of fiddler to "127.0.0.1:8888" where burp listens, then fiddler works ok...but it's also too complicated.
thx for your reply...(may u have a try?)
please add comments into a fiddler AutoResponder. And maybe hierarchy view for i can create folders and create responses inside folders (for grouping). With group switch on|off.
执行“bpu xxx”请求断点后，AutoTamperRequestBefore(Session oSession)方法里oSession.oFlags.ContainsKey("x-breakrequest")=false。
但是执行“bpa xxx”响应断点后，AutoTamperResponseBefore(Session oSession)方法里oSession.oFlags.ContainsKey("x-breakresponse")=true。
It'd be extremely useful if Fiddler could have the ability to do filtering non-destructively, where filtering doesn't drop data/entries/lines altogether, but rather, merely hiding them from display.
This enables the ability for you to do multiple levels/layers/slices of filtering, as there's very often a need for doing on any given capture session. Currently, however, when you filter on something, the capture data gets dropped from the data/result set, lost altogether.
Process Monitor by Microsoft/Sysinternals has this ability, and it's extremely useful, allowing you to not only do layers of filtering, but also allowing the ability to traverse back up the "stack" 1..n filter layers, and if/when needed, able to un-filter all the way back up to baseline of all capture data shown (and without having to re-load a session save).
Procmon also has the ability to "Drop filtered events", which when enabled does destructive filtering, dropping any non-filter-matching packets from that point forward:
This would also be handy to have, but not crucial; much more beneficial/important is the ability to filter non-destructively.