Collecting a Fiddler Trace of an Application

This is a tutorial I can pass out for friends to collect traces of applications’ web requests.

Why?

Many applications these days use web requests to authenticate with and share data with servers. When you have problems and need to debug (or if you want to reverse engineer things) you can use this method to “peer into” this stream of information.

In particular, I’m working on resolving “heisenbugs” involving the OneNote authentication stack against SharePoint/OneDrive and fiddler traces are a great way to look into problems.

What?

The Fiddler application is a great way to capture requests including proxying and decoding HTTPS and includes other nifty tools which I won’t have time to go into here (replaying requests and other such tom foolery).

Go ahead and install it here.

How?

Go ahead and run the application. There are two steps you’ll need before you’re ready to capture traces:

First, security practices now employed for Windows Universal apps prevent apps from communicating through a localhost proxy without admin privileges. Fiddler has a handy utility to exempt Universal applications:

Note that you only need to do this if capturing traces from a Universal app like OneNote Universal; skip if capturing from a traditional Win32 app:

Exemption Utility
Checkbox to exempt app

Next, you’ll need to add a root certificate to decrypt HTTPS traffic.

Before you ask, yes this is a horrifying security vulnerability. However, as long as your certificate doesn’t leave your machine, others won’t be able to use it to trick your device into believing requests are authenticated. You “should”also remove the certificate when you’re done using the Actions button in the Fiddler settings.

Click here to decrypt HTTPS traffic and accept the prompts to add the root certificate to your trust store

Now restart Fiddler and you’ll be all set!

PS: I also recommend on the lower left corner setting Fiddler to capture “non-browser” traffic. You can also use the little sign icon in the toolbar to select the specific process (just click there and click on the window you want to capture).

Time to capture!

Start fiddler, start your application, and you can see all the requests come through.

The window on the left lets you select the request and view details about it. You can then view Headers, Text of the response, JSON representations, all sorts of fun stuff.

You can share the results by clicking “File=>Save=>All Sessions…”

I recommend you set a password because these traces generally contain quite sensitive information (like passwords, authentication tokens, content). Best practice is to send the trace itself and the password through separate channels (email attachment and then slack, skype, text, web message etc.).

You can also scope the trace by selecting individual sessions in the left pane and saving “Selected Sessions” if you know what you’re looking for.

Leave a Reply