How to use Fiddler When Burp Not working

8 Comments
Hi All,

In this blog post we will go through simple steps on how to use fiddler when you are not able to intercept any traffic via burp suite.(Generally happens while doing mobile app sec)

How I landed @Fiddler :-
During the pen testing of mobile application, I was trying to intercept traffic via burp suite. But my bad, I was not able to intercept the traffic, I googled, etc but no luck. I wanted to test the application on priority, to ensure that troubleshooting the problem doesn't consume a lot of time.

At last, I decided to use fiddler. Thanks to my mentor who helped me learn this.
He knows what I mean :D

But trust me guys Fiddler is savior when you don't have any hope that you can intercept the traffic, So I call fiddler the savior xD.

I will walk-through a few simple steps which you can take in a situation where you have to test the application on priority and you don't have time to troubleshoot the problem in burp suite.

You can download the fiddler from this link

Points covered:- 
1] Setting up test environment to capture the mobile traffic
2] How to intercept the request and intercept off like we do in burp suite
3] How GUI Looks and what it means
4] How to intercept request from particular browser or process
5] How to intercept request only from particular host
6] How to redirect fiddler traffic to the burp
7] How to repeat the request (Similar to Burp Repeater)

I am writing this blog, considering we are trying to intercept the mobile application traffic. Though this will work for all sorts of application testing.

So lets start,


1] Setting up test environment to capture the mobile traffic 

Step 1:-  Go to Tools ==> Fiddler Option



Step 2:-  Set below Setting


Step 3:-  Set the Fiddler Listener Port. Set the same port value to your mobile device Wi-Fi Section.



PS: Please make sure you install the fiddler certificate in the mobile device in which you are doing testing otherwise you wont be able to capture the traffic in fiddler.

1- Set up your Laptop Wifi - Mobile Wifi on same network
2- Check your laptop IP address and use the same IP address in your Mobile wifi network setting.
3- Go to mobile browser and type http://ipv4.fiddler:8888
4- Download the certificate and install.


2] How to intercept the request and intercept off like we do in burp suite 

Well If you are Burp Suite lover and you want see the same way interception on and interception off in fiddler then you can do that by below steps:-

Intercept On:- Fiddler will capture the request and it will make sure that request will not go to server

Go to Rules==> Automatic Breakpoints ==> Before Requests (This will work as Intercept on in burp)

Before Requests: It will help you to modify the request before it reaches the server.



After modifying the request or after playing around with request now you want to play around with response than in that case.

Go to Rules==> Automatic Breakpoints ==> After Responses (This will work as Intercept off in burp)

After Responses:  It will help you to modify the response before it reach to the mobile device.



Intercept Off :-  Simply click on Disabled.

3] How GUI Looks and what it means 




4] How to intercept request from particular browser or process 

Well if you want to intercept particular request say from Web Browsers or from other device you can set that by going below in the All Processes tab click on that and say if you want to intercept all the processes request then select All Processes, say you want to intercept request only from the web browsers then select that.





OR  To be more precise

1-  First go to Fiddler Option ==> Connections  and capture the below path by clicking on "Copy Browser Proxy Configuration URL"



2- Go to your browser in my case say "FireFox"

click Tools ==>  Options ==>  Advanced ==> Network ==> Settings, and input the URL of the BrowserPAC.js.



3- Install fillder root certificate in firefox browser

Go to
Tools ==> Fiddler Option ==>  HTTPS ==> click on "Actions" tab ==> click on "Export Root Certificate to desktop"

5] How to intercept request only from particular host (Application which you are testing)

When you will open the fiddler you will see bunch of request going in and out from your fiddler. The big problem is you only want to capture request of the application which you are testing, and for rest of the traffic is just like unwanted request.

So to make your testing smooth and capture only request which you want to test then follow below simple steps:

PS: Just like in burp suite you first add host to scope and then you set your burp suite to intercept only request which are in scope.

5.1 - Click on Filter



5.2 Select Use Filters


5.3 Under Hosts on 2nd tab select "Show only the following hosts"





OR

Say for example if you want to capture facebook (web module) domain traffic only then follow the same steps which are mentioned above and under Hosts add "www.facebook.com" and you are good to go to capture facebook domain traffic via fiddler.


6] How to redirect fiddler traffic to the burp

6.1 Open the fiddler proxy tool. Go to the Tools ==> WinINET option, and disable the system proxy, so that fiddler can capture only remote proxy.





6.2  Under "HTTP" TAB

Now go to :-
 Tools => Options ==> HTTPS, and make a tick mark on Capture HTTPS CONNECTs. 



Also select ‘Allow remote computers to connect’ under Connections tab.




Click on Gateway tab.

6.1 Click on  “Manual proxy Configuration”
6.2 In place of IP you need to write 127.0.0.1:port_number (on which your burp tool is running)
With the help of this setting, the fiddler’s traffic will be going to navigate the Burp tool.



Now Just minimize the Fiddler. And use the burp suite to see the traffic.

7] How to repeat the request (Similar to Burp Repeater)

In Fiddler, you can repeat a request as many times as you like by hitting SHIFT+R on the selected Web Session. You'll be prompted for a repeat count and then Fiddler will issue the specified number of requests.


I have listed the setting of fiddler that I'm familiar with. If you know of any other service of fiddler which I've not listed on this blog, please feel free to share with me or DM me. I would love to incorporate those in my blog, that would help the other pen-testers.

Happy Hacking With Fiddler the savior.

Testing .jar based application

Add Comment

Hi All,

Recently while performing application testing I came across new application which is based on .jar file.
The major problem with this type of application is

  • Its only supported on older devices (Nokia 5233,Nokia C2-01 etc)
  • No Wifi or internet connection.

The requirement for testing such application come from the vendor who want to give their application to the village people or rural area where people having less connectivity of internet or no connectivity.
Every sensitive transaction is possible via SMS ;) I hope you got why this type of testing is still required.

Application details:-
  1. .jar file given to you for testing 
  2. Supported on older version of mobile devices (Nokia 5233,Nokia C2-01 etc)
  3. This phones does not support any WI-FI connection. 
  4. Application does not have any internet connection. (GPRS etc) 
So in short you have to test the application which does not have any internet connection. At this point of time you must be thinking about normal mobile app sec testing in which we set the proxy and intercept the request and bla bla... Though the catch here is without using internet you have to perform the testing. 

Initially I was searching on google if I can get any useful material etc though I didn't found it. At the end thanks to Null groups and thanks to @Akash for replying me quickly and helping me.

Set up for testing .jar based application 

Below is simple step by step process for setting up test bed for testing .jar based application 

Step 1:- You will require emulator in which you can run your .jar files. The best emulator to use for such type of testing is KEmulator you can download the set up from here. 

Step 2:- After downloading this setup unzip it and launch .exe file with name KEmulator

Step 3:- Load the jar file as below 



Step 5:- You are now all good to go. 

Step 6:- At this point of time the loaded application will behave as a thick client.

Really ? Hold on few points to remember :-

Notes:-
1] In my case .jar file using no HTTP or HTTPS traffic so but obvious you will not able to see any request response etc. Just check for the code level bug or check whether developer have obfuscated the code or not. For this you can use JD-GUI tool. 

2] If your .jar file using either HTTP or HTTPS traffic then you can use Use Echo Mirage tool OR burp suite or fiddler to perform the further testing.


Apart from this I also found another nice article for doing the same testing.

I hope this will help other penetration tester where client ask to test such application.

Happy Hacking :)