In this article, we will understand how and why you can change HTTP packets when sending to the server and when receiving responses from the server.

Why do this?

Example 1. Traffic analysis.
Your network users are using your proxy server. You can see which sites users are visiting, prohibit further transitions to these sites.

Example 2. Collecting data.
Your users use some of the web resources through you. For example, they enter the vin number of their car on the car dealer’s website and receive the data of this car in response. You can save this data to your database.

Example 3. Spoofing HTTP packets.
You need to change the look of the site for your users. You can change the styles of the site, hide any elements, add your own elements, cut out certain words or replace them with other words, change the site picture to any of your own.

Example 4. Substitution of POST data.
You need to correct the data sent to the web server via a POST request. There is a lot of information passed in POST requests. Example: sending a username/password to the server during the authorization process. Or the online test sends the results of your test to the server.

Installing Fiddler

  1. Go to https://www.telerik.com/download/fiddler, download Fiddler Classic.
  2. Installation is quick and easy.
  3. We launch the program.

Configuring Fiddler

The File menu has an option called “Capture Traffic”. The option is enabled by default. This means that Fiddler registers itself in the Windows registry as a proxy server. Internet Explorer, Edge, Chrome browsers use this setting, which means that HTTP packets from these browsers will go through Fiddler.

If the “File -> Capture Traffic” option is disabled, then Fiddler stops working as a system proxy server and intercepts only those packets that go directly to the Fiddler address. This can be when you have configured your application or browser yourself to work through the IP / port Fiddler. By default Fiddler listens on port 127.0.0.1:8888

“Keep: All sessions” option.
In this mode, Fiddler does not clear the collected HTTP packet log. If you need Fiddler to run for a long time, then with a heavy load there will be a lot of these packages and Fiddler eats up all the available computer memory. To avoid this, switch to the “Keep: 100 sessions” mode.

“Decode” option.
Disabled by default. When analyzing collected packets, it is recommended to enable so packets are automatically decoded. Alternatively, you can select the collected packages via Ctrl + A, open the menu by right-clicking on the selected packages, and click “Decode Selected Sessions”.

Basic settings

Go to “Tools -> Options …”.

“HTTPS” tab.

After installation, Fiddler does not collect HTTPS traffic, this must be enabled. We put a tick in the “Decrypt HTTPS traffic” option. After that, Fiddler will generate a self-signed certificate and ask if you want to install this certificate. The answer is yes.

Option “Ignore server certificate errors (unsafe)” – you can leave it off right away. Certain portals have certificate errors, but this is rare. As you can see, turn it on)
Configuring protocols. The default is “<client>; ssl3; tls1.0”. I advise you to immediately set the value to “<client>; ssl3; tls1.0; tls1.1; tls1.2”. After changing the settings, you must restart the program for the settings to take effect.

“Actions” button:

“Trust Root Certificate” – if you did not install the certificate generated by Fiddler after enabling the “Decrypt HTTPS traffic” option, you can do it here.

“Export Root Certificate to Desktop” – if you plan to use Fiddler as a proxy server for your local network, then you need to install the certificate generated above on each user’s device. Use this option to save the certificate to your desktop.

“Reset All Certificates” – in some cases it is necessary to generate a new certificate to replace the old one. In this case, we reset all Fiddler certificates and generate a new certificate.

Connections tab.

Here we set on which port Fiddler works as a proxy server. The default port is “8888”.

“Allow remote computers to connect” – enable the option so that Fiddler starts accepting connections from other computers.

“Act as system proxy on startup” – this option is enabled by default. If enabled, the option “File -> Capture Traffic” is enabled at startup.

After changing these settings, you must restart the program for the settings to take effect.

Gateway tab.

Here we set where Fiddler sends incoming packets, which proxy it uses.

“Use System Proxy (recommended)” – use the system proxy from the registry of the current user.

“Manual Proxy Configuration” – the ability to manually set a proxy server.

“No proxy” – set that access to the Internet is direct, without using a proxy.

After changing these settings, you must restart the program for the settings to take effect.

Installing certificates on Windows devices

After the generated certificate is copied to the desktop, this certificate must be installed on each device that will use this Fiddler as a proxy server.

To install the certificate, use the MMC management console: in the command line, enter the “mmc” command.

In the file menu, select “Add or remove snap-in”. From the available snap-ins, select “Certificates” and use the “Add” button to select this snap-in. Click “OK” and select “computer account”. This is needed to open the certificates that are installed for the entire computer, and then install the Fiddler certificate in this particular store. If you open the “my user account” certificates, then after installing the Fiddler certificate in this store, other users on this computer will not be able to connect to Fiddler.

We install the certificate in the “Trusted Root Certification Authorities”.

If your computers are on a domain, then use the domain tools to install a certificate for every user or every computer on the network.

Traffic analysis

In the process, Fiddler sniffs all HTTP requests and there are usually many of them. You can use filters to find the queries you need. Select the unnecessary request with the right mouse button, select “Filter Now” and “Hide ‘…'” to hide requests to this domain. You can manually delete selected queries using the “Delete” button.

In addition to using filters, you can search for separate text in the body of requests/responses: “Ctrl + F” to open the search menu. Found queries are highlighted in yellow by default.

Modifying Query Data

Fiddler provides the “Fiddler ScriptEditor” tool for creating traffic modification rules. Launching the script editor via “Ctrl + R” or by selecting the “Rules -> Customize Rules …” menu item.

There are two main methods in the script editor: “OnBeforeRequest” and “OnBeforeResponse”:

“OnBeforeRequest” – script execution in this method occurs before sending packets to the webserver.

“OnBeforeResponse” – scripts in this method are executed after receiving a response from the webserver.

Below are examples of scripts with an indication of which method to place them.

Task 1: Banning the site

We prohibit the transition to the site address containing the string.

Task 2: Prevent loading a resource

We prohibit downloading “.svg” files for the given site address.

Task 3: Forwarding the request

Redirecting a request to a site address containing a string.

Task 4: Collect data

Users connect through this proxy server and make some requests in their browsers like “https://myhost.ru?key=abcd&vin=VF38BLFXE81078232&lang=ru”. The task is to write the search event to the database and pass the value of the VIN number. This script creates files with a name including a VIN number. In addition to the script, you need to create a utility/service that reads the “C:\vinsearch\” directory once at a specified interval and writes data to the database.

Task 5: Change the text in the response

In this example, change the text “Smith” to “Agent”.

Task 6: Replace the web portal resource with a local resource

Let’s replace the picture of the web portal with the picture located on the local disk.

Task 7: Modifying the Properties of HTML Objects

For example, there is a picture with specified dimensions in HTML and you need to change these dimensions.

Task 8: Hide elements by className by changing css files

In this example, we hide the elements knowing their className in the css file by adding the property “visibility: hidden;”

Task 9: Make the page open in the current window

Example: There is JavaScript that opens a link in a new window. You need to make the link open in the current window.

Task 10: Executing scripts for specific IPs

In this example, change the text “Smith” to “Agent” only for IP = “192.168.0.100”

Task 11: Change the css styles of the portal

The css files of the web portal can be saved on the local disk, edited and the script can be configured to serve styles from the local disk, and not from the portal.

Task 12: Prohibit PUT Commands and Similar

Disable command by its type: “PUT”, “DELETE”, etc.

Task 13: Modifying the body of the POST request

Modify the body of the POST request for the specified portal. When authorizing this portal, regardless of the data entered by the user, data from the script will be sent to the web portal.

Task 14: Changing the HTTP packet headers

Package headers can be easily edited: delete, add, change.

Task 15: Changing the Cookie

Working with Cookies: adding, deleting, editing

Thanks for reading and good luck on the data sniffing fields!