Grab the bag sharp weapon fiddler

1). Fiddler installation

A.: http://fiddler2.com/get-fiddler

B. Install: Omit (Next ... Next)

2). Fiddler configuration

A. allow remote computers to connect fiddler

Menu:tools-> Fiddler options->Connections, tick "Allow remote computers to connect"

Note: 8888 is the default port number, can be modified, but pay attention to two points, one is the local idle port, the second is the mobile phone proxy settings when the port to be consistent.

B. Configure to capture HTTPS requests (* Ignore this step if you do not need to capture HTTPS )

Menu:tools-> Fiddler options->Connections, check "Capture HTTPS connects" after

tick "Decrypt HTTPS traffic", "Ignore server certificate Errors"

Note 1: Tick the option English do not know, please Google, not another explanation

3). The phone installs the HTTPS certificate (* Do not need to capture HTTPS, ignore this step *)

A. First determine the IP address of the computer where the fiddler is located: Example: 192.168.8.8

B. Open the tested phone browser, Access http://192.168.8.8:8888, click "Fiddlerroot Certificate" and install the certificate

Note: Iphone, ipad installation is simple, click Install. Android installation A little trouble, you need to set the phone lock screen password, PIN code, install the certificate will prompt, follow the steps to go.  

Thinkdrive Grab Bag Instance

During the first phase of the test, the app security test is involved, so you need to see if there is a plaintext password for the transmitted data.

1). Turn on fiddler, determine the native IP, fiddler port number

Native ip:192.168.8.8

Fiddler port number: 8888

method to get native IP: cmd->ipconfig

2). Mobile phone connected to the same network WiFi, set up the agent

A. Proxy hostname: Fiddler computer IP

B. Proxy server port: Port used by fiddler

3). App operation, generating request data

Data requests that are implemented by manipulating the app, such as:

A. Example: Login

B. Example: Log Out

4). Analyze Fiddler capture data

a. Example : Login Request parsing

1). Double-click to view the login request, select other class tags such as WebForms or JSON, view the request parameter values, control the interface document and the point analysis you want to test , if the request is correct, check that the returned data is correct.

2). With account number, different password, different account, with password and other test cases, test multiple login found that the password is only MD5 encryption, no good password encryption transmission  

3). The analysis has the following issues:

question 1: The account password is transmitted by HTTP, the account number and password (MD5 value) Local area network can be captured;  

 

Grab the bag sharp weapon fiddler