Fiddler Grab Packet HTTPS request

Fiddler grab packet HTTPS requestTags: Fiddlerhttps snatch bag2016-03-29 21:24 23293 People read Comments (2) favorite reports Classification:Do not climb mountains do not know the sky High also (1)

Copyright NOTICE: This article is Gaoschausen original article, reprint please indicate the source, this article blog address: Http://blog.csdn.net/gaoshaochen.

Directory (?) [-]

1. Fiddler Grab Packet HTTPS request
1. Tutorial Start
1. Installing fiddler
2. Configure Fiddler
3. Configure your phone
4. Grab Bag
2. Let's think about it.

Fiddler grab packet HTTPS request

Follow the tutorial to ensure 100% successful catch HTTPS package

Tutorial Start Installing fiddler

Start by preparing a WinDOS computer with internet access to prepare a smartphone.
Fiddler Grab Bag Tool: (self Baidu A search a large). Install, open if you encounter a. NET Framework error, download a high version of. Net. Okay, the tutorial has finished more than half.
Open the fiddler and open the browser. found that you can catch the bag, but want to catch the phone https also need to do some settings.

Configure fiddler

1. Open the Fiddler configuration tools–> Fiddler options. 
   
2. Open the HTTPS configuration item, tick "Capturehttps connects" and tick " Decrypt HTTPS Traffic ", Pop-up dialog box Select Yes (here is according to fiddler own certificate) if it's the same as me. The phone and the computer are linked with WiFi, you also need to select" ... fromremote clients only ". If you need to listen for an HTTPS request for an untrusted certificate, you need to tick "Ignore servercertificate errors". &NBSP
   
3. Opens the Conections configuration item, where you can modify the Fiddler proxy port number. Tick "Allow remote Computersto connect." Prompt to restart fiddler. &NBSP
   
4. haha, high-end come, need to write some code. This is to be able to catch the client using HttpURLConnection's package. &NBSP
   ruler–>customizerules 
   Add the following code to the function Onbeforeresponse:

if (oSession.oRequest["User-Agent"].indexOf("Android") > -1 && oSession.HTTPMethodIs("CONNECT")) { oSession.oResponse.headers["Connection"] = "Keep-Alive";}

• 1
• 2
• 3

• 1
• 2
• 3

Add the following code:

static Span class= "hljs-function" >function onbeforeresponse (osession:session) {if (m_hide304s && Osession.responsecode = = 304) {osession[ "ui-hide"] =  "true "; } if (Osession.orequest[ "user-agent"].indexOf (" Android ") >-1 && Osession.httpmethodis (  "CONNECT") {Osession.oresponse.headers[ "Connection"] =  "keep-alive";}}   

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8

Don't forget to restart fiddler!!!

Configure your phone

Make sure the phone and PC are under the same network segment.
Configure the Wi-Fi connection of the phone, may each phone turn on the WiFi configuration is not the same way, carefully study, select the connected network, open the Modify Network window. Show advanced properties, configure network proxy –> manual proxy server hostname: Fill in the IP address of the PC, for example: 192.168.0.4, Proxy server port number: Fiddler proxy port number, if not modified is 8888.
Key steps ha:
Download the certificate for installing fiddler

Open a proxy server in your mobile browser: port number For example, the above is 192.168.0.4:8888, click on the page "Fiddlerrootcertificate" link, in the Pop-up dialog box to set a name to determine.

Grab Bag

The test machine does not install much software, open Baidu Wallet to try

All right. Done!

Let's think about it .

Through the fiddler can grasp the package, is not that HTTPS is not safe, after all, all the requests are transparent to us. In fact, the process is very important is that we downloaded and installed fiddler root certificate, for the PC side is configured fiddler HTTPS option popup dialog box, for the phone is we go to PCIP address: Fiddler proxy port this address download certificate process.
For HTTPS security, the premise of HTTPS security is the Trusted root certificate!!!!
However, the previous operation is undoubtedly installed in our system of untrusted root certificate. So that fiddler to our communications caused a man-in-the-middle attack!.
Simply said that we communicate with the server, we will first obtain the server's certificate, the verification process is verified with the local trusted root certificate, and after loading the root certificate of fiddler, Fiddler Can forge the certificate, get our secret key to communicate with the server, to crack our communications. So it is a dangerous operation for us to install the certificate in our system!
Bang Bang Bang!! Check the water meter!!!

Top

2

Fiddler Grab Packet HTTPS request