In this blog post we will go through simple steps on how to use fiddler when you are not able to intercept any traffic via burp suite.(Generally happens while doing mobile app sec)
How I landed @Fiddler :-
During the pen testing of mobile application, I was trying to intercept traffic via burp suite. But my bad, I was not able to intercept the traffic, I googled, etc but no luck. I wanted to test the application on priority, to ensure that troubleshooting the problem doesn't consume a lot of time.
At last, I decided to use fiddler. Thanks to my mentor who helped me learn this.
He knows what I mean :D
But trust me guys Fiddler is savior when you don't have any hope that you can intercept the traffic, So I call fiddler the savior xD.
I will walk-through a few simple steps which you can take in a situation where you have to test the application on priority and you don't have time to troubleshoot the problem in burp suite.
You can download the fiddler from this link
Points covered:-
1] Setting up test environment to capture the mobile traffic
2] How to intercept the request and intercept off like we do in burp suite
3] How GUI Looks and what it means
4] How to intercept request from particular browser or process
5] How to intercept request only from particular host
6] How to redirect fiddler traffic to the burp
7] How to repeat the request (Similar to Burp Repeater)
I am writing this blog, considering we are trying to intercept the mobile application traffic. Though this will work for all sorts of application testing.
So lets start,
1] Setting up test environment to capture the mobile traffic
Step 1:- Go to Tools ==> Fiddler Option
Step 2:- Set below Setting
Step 3:- Set the Fiddler Listener Port. Set the same port value to your mobile device Wi-Fi Section.
PS: Please make sure you install the fiddler certificate in the mobile device in which you are doing testing otherwise you wont be able to capture the traffic in fiddler.
1- Set up your Laptop Wifi - Mobile Wifi on same network
2- Check your laptop IP address and use the same IP address in your Mobile wifi network setting.
3- Go to mobile browser and type http://ipv4.fiddler:8888
4- Download the certificate and install.
2] How to intercept the request and intercept off like we do in burp suite
Well If you are Burp Suite lover and you want see the same way interception on and interception off in fiddler then you can do that by below steps:-
Intercept On:- Fiddler will capture the request and it will make sure that request will not go to server
Go to Rules==> Automatic Breakpoints ==> Before Requests (This will work as Intercept on in burp)
Before Requests: It will help you to modify the request before it reaches the server.
After modifying the request or after playing around with request now you want to play around with response than in that case.
Go to Rules==> Automatic Breakpoints ==> After Responses (This will work as Intercept off in burp)
After Responses: It will help you to modify the response before it reach to the mobile device.
Intercept Off :- Simply click on Disabled.
3] How GUI Looks and what it means
4] How to intercept request from particular browser or process
Well if you want to intercept particular request say from Web Browsers or from other device you can set that by going below in the All Processes tab click on that and say if you want to intercept all the processes request then select All Processes, say you want to intercept request only from the web browsers then select that.
OR To be more precise
1- First go to Fiddler Option ==> Connections and capture the below path by clicking on "Copy Browser Proxy Configuration URL"
2- Go to your browser in my case say "FireFox"
click Tools ==> Options ==> Advanced ==> Network ==> Settings, and input the URL of the BrowserPAC.js.
3- Install fillder root certificate in firefox browser
Go to
Tools ==> Fiddler Option ==> HTTPS ==> click on "Actions" tab ==> click on "Export Root Certificate to desktop"
5] How to intercept request only from particular host (Application which you are testing)
When you will open the fiddler you will see bunch of request going in and out from your fiddler. The big problem is you only want to capture request of the application which you are testing, and for rest of the traffic is just like unwanted request.
So to make your testing smooth and capture only request which you want to test then follow below simple steps:
PS: Just like in burp suite you first add host to scope and then you set your burp suite to intercept only request which are in scope.
5.1 - Click on Filter
5.2 Select Use Filters
5.3 Under Hosts on 2nd tab select "Show only the following hosts"
OR
Say for example if you want to capture facebook (web module) domain traffic only then follow the same steps which are mentioned above and under Hosts add "www.facebook.com" and you are good to go to capture facebook domain traffic via fiddler.
6] How to redirect fiddler traffic to the burp
6.1 Open the fiddler proxy tool. Go to the Tools ==> WinINET option, and disable the system proxy, so that fiddler can capture only remote proxy.
6.2 Under "HTTP" TAB
Now go to :-
Tools => Options ==> HTTPS, and make a tick mark on Capture HTTPS CONNECTs.
Also select ‘Allow remote computers to connect’ under Connections tab.
Click on Gateway tab.
6.1 Click on “Manual proxy Configuration”
6.2 In place of IP you need to write 127.0.0.1:port_number (on which your burp tool is running)
With the help of this setting, the fiddler’s traffic will be going to navigate the Burp tool.
Now Just minimize the Fiddler. And use the burp suite to see the traffic.
7] How to repeat the request (Similar to Burp Repeater)
In Fiddler, you can repeat a request as many times as you like by hitting SHIFT+R on the selected Web Session. You'll be prompted for a repeat count and then Fiddler will issue the specified number of requests.
I have listed the setting of fiddler that I'm familiar with. If you know of any other service of fiddler which I've not listed on this blog, please feel free to share with me or DM me. I would love to incorporate those in my blog, that would help the other pen-testers.
Happy Hacking With Fiddler the savior.