1). Fiddler installation
A.: http://fiddler2.com/get-fiddler
B. Install: Omit (Next ... Next)
2). Fiddler configuration
A. allow remote computers to connect fiddler
Menu:tools-> Fiddler options->Connections, tick "Allow remote computers to connect"
Note: 8888 is the default port number, can be modified, but pay attention to two points, one is the local idle port, the second is the mobile phone proxy settings when the port to be consistent.
B. Configure to capture HTTPS requests (* Ignore this step if you do not need to capture HTTPS )
Menu:tools-> Fiddler options->Connections, check "Capture HTTPS connects" after
tick "Decrypt HTTPS traffic", "Ignore server certificate Errors"
Note 1: Tick the option English do not know, please Google, not another explanation
3). The phone installs the HTTPS certificate (* Do not need to capture HTTPS, ignore this step *)
A. First determine the IP address of the computer where the fiddler is located: Example: 192.168.8.8
B. Open the tested phone browser, Access http://192.168.8.8:8888, click "Fiddlerroot Certificate" and install the certificate
Note: Iphone, ipad installation is simple, click Install. Android installation A little trouble, you need to set the phone lock screen password, PIN code, install the certificate will prompt, follow the steps to go.
Thinkdrive Grab Bag Instance
During the first phase of the test, the app security test is involved, so you need to see if there is a plaintext password for the transmitted data.
1). Turn on fiddler, determine the native IP, fiddler port number
Native ip:192.168.8.8
Fiddler port number: 8888
method to get native IP: cmd->ipconfig
2). Mobile phone connected to the same network WiFi, set up the agent
A. Proxy hostname: Fiddler computer IP
B. Proxy server port: Port used by fiddler
3). App operation, generating request data
Data requests that are implemented by manipulating the app, such as:
A. Example: Login
B. Example: Log Out
4). Analyze Fiddler capture data
a. Example : Login Request parsing
1). Double-click to view the login request, select other class tags such as WebForms or JSON, view the request parameter values, control the interface document and the point analysis you want to test , if the request is correct, check that the returned data is correct.
2). With account number, different password, different account, with password and other test cases, test multiple login found that the password is only MD5 encryption, no good password encryption transmission
3). The analysis has the following issues:
question 1: The account password is transmitted by HTTP, the account number and password (MD5 value) Local area network can be captured;  
 
Grab the bag sharp weapon fiddler