Hi Team,
We wanted to use Fiddler Classic and when we send for Security Scanning, its flagged as Malicious. From your end, do you have confirmation like it would be false positive. Attached the screenshot where it was flagged as Malicious.
Thanks.
For legacy reasons, Fiddler logs the message "HTTPSLint> Warning: ClientHello record was {0} bytes long. Some servers have problems with ClientHello's greater than 255 bytes"
This message should be removed because at this point, effectively ALL clienthellos are over 500 bytes and basically all servers are okay with it.
(This message was only relevant around 2014 or so when longer clienthellos started becoming common)
When sending post data, -d option needs to ensure that the data does not start with an @
https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome
BasicFormats.dll - cURLExport.cs
As noted in the Fiddler book,
Sessions rerouted from one hostname to another using the Host Remapping tool are rendered with a light blue
background in the Web Sessions list. HTTPS Sessions that have been rerouted have the X-IgnoreCertCNMismatch
and X-OverrideCertCN Session Flags set to avoid raising “Certificate Name Mismatch” errors.
However, there's a bug. In the HostsFile.cs code, there's are several places that look like:
if (oS.isTunnel) {
oS["x-overrideCertCN"] = oS.hostname;
oS["X-IgnoreCertCNMismatch"] = "HOSTS-Ext";
}
This usually works for browser traffic going through Fiddler (because the HTTPS handshake is typically conducted on the CONNECT tunnel). However, it doesn't work (and the user is spammed with cert error warnings) if the traffic is sent from Fiddler itself (e.g. via Composer or using the "Reissue requests" context menu item).
The code should look like this:
if (oS.isHTTPS || oS.isTunnel) {
oS["x-overrideCertCN"] = oS.hostname;
oS["X-IgnoreCertCNMismatch"] = "HOSTS-Ext";
}
When HTTPS decryption is enabled in Fiddler, Fiddler parses the ClientHello and ServerHello HTTPS messages to determine the supported ciphers and other information, including TLS Extensions.
Unfortunately, Fiddler's HTTPSMessages parsers have a bug whereby if the extensions are larger than the available data on the stream/pipe, reading of the extensions is skipped and misleading text suggesting that no extensions were sent is shown in the Inspectors. For instance, the current version of Chrome Canary sends ~1308 bytes of TLS extensions in the ClientHello, but only 908 bytes are available at the time that the message is read. Fiddler claims that the ClientHello contained no extensions.
Instead of performing a single .Read() call and ignoring the result if the size is less than expected, Fiddler should continue to read the stream until the promised number of bytes have been read.
[This issue is similar to https://crbug.com/1028602#c2, although the implementation is obviously unrelated).
The GetSupportedVersions function inside HTTPSUtilities has an off-by-one error in the parser that results in omitting the final value in the list.
Instead of code like this:
for (int index = 1; index < arrSupported.Length - 2; index += 2)
the code should instead be:
for (int index = 1; index <= arrSupported.Length - 2; index += 2)
Precondition:
Steps to reproduce:
Expected result:
Actual result:
Version: 5.0.20192.25091 (2019-06-04)
Platform: Windows 10 build 17134, .NET 4.7.1
Inside the Header inspector, you can add a header to a breakpointed response. The header editor offers templates. The "Set-Cookie" template for persistent cookies has an expiration date that seemed impossibly far in the future: June 2021.
Well, I may not have a flying car, but we're now living in a future beyond that imagined by the header inspector. We need to update to a later expiration date.
The bug I'm reporting is sometimes the Session.HostnameIs() will return true even if the supplied hostname does not match Session.hostname and a port was passed by the client in the Host header.
HostnameIs function is documented as "This method compares the supplied hostname to the hostname of the request, returning true if a case-insensitive match is found."
What I think is happening is that rather than use Session.hostname for comparison Fiddler instead uses the Session.host (ie what was passed by the client in the Host header) and if a port is present maybe it incorrectly extracts out the hostname. Here is an example that shows the bug and why I think that.
In OnBeforeRequest add this code, which should only show an alert box if the hostname is test:
if(oSession.HostnameIs("test")) {
FiddlerObject.alert(oSession.hostname);
}
Now in a browser try going to http://t:81/ and you will see it shows the alert box, in other words a match. Why? Well, I will guess based on my testing that your code in HostnameIs gets the index of the colon in the host t:81, which is 1, and then compares only that number of characters. So it's doing whatever is the javascript equivalent of !strnicmp("t", "test", 1).
This manifests itself through CONNECT as well, and probably more likely, since the standard ports are used in the Host header (IE might be an exception to this). For example, let's say you go to https://t/ in Firefox or Chrome and HTTPS decrypt is enabled. The Host passed by the client for the CONNECT is t:443 and so it's the same problem, !strnicmp("t", "test", 1).
This is not a theoretical issue for me, I was testing something earlier today where I had to treat a hostname that ended in .co different from the same hostname that ended in .com and it turned out the test I was doing applied to both of them because of this bug.
There may be very good reason to not use Session.hostname for the comparison, I don't know, but the likely extraction from Session.host is not done properly.https://twitter.com/ozziepeeps/status/1349126308454830082
Basically, the problem here is that if we're AutoAuthenticating when reissuing a request, we try to strip any default Auth header.
There's code that looks like
if (theFlags.ContainsKey("x-AutoAuth") && newSession.requestHeaders["Authorization"].OICContains("NTLM")
//... strip the header
The problem is that we should only be looking at the very first token of the Authorization header (e.g. before the first space). We should not search the whole header, because if the header is
Authorization: Bearer BlahblahblahNtLMblahblah
we think it's an NTLM header and strip it.
Response headers named
Cross-Origin-Embedder-Policy
Cross-Origin-Resource-Policy
Cross-Origin-Opener-Policy
Should be added to the "Security" section of the Response Headers inspector. These are important security headers added to the web platform, and looking for them will become increasingly common and important.
Hi,
When i started latest version of Fiddler, i started to get an error window at launch saying "Failed to register Fiddler as the system proxy"
But as usual, i have plenty opened windows at the same time.
While i'm doing a search for a solution, Fiddler and the error window goes to background.
But when i come back to Fiddler, i'm unable to exit the application.
The error windows is not referenced in the taskbar and it's a pain to find it.
The best solution is to go to desktop "Win+D" and focus on Fiddler to get the splash screen and the error window visible again.
Once the error window closed, i can close Fiddler.
The issue is the error window staying on background and not having an entry in taskbar.
Fiddler’s “Auth” Inspector uses Encoding.Default() for decoding base64-encoded BASIC auth credentials. This was common practice at the time this was first written but is now obsolete. https://tools.ietf.org/html/rfc7617, written much later, demands UTF-8.
Chromium and Firefox encodes credentials using UTF-8.
Date of update appears as 04/21/2019, should be 04/21/2020:
5Fiddler's "Web Browsers" filter does not include msedge.exe as a web browser. This is the executable name of the new Chromium-based version of Edge that Microsoft is now working on.
This should be a one-line fix and very much appreciated by the many thousands of Fiddler+Edge users.
I'm trying many times this shortcut but it's doesn't work. When i'm try to copy Single Header with CTRL + C it's work but when i'm try to copy single header's value with CTRL + SHIFT + C shortcut it's didn't work.