Project Description
WebScarab and MS Fiddler are very similar tools, however, the previous is used more for security analysis and testing and the latter for debugging and troubleshooting. The Goal of this project is to bring some Vulnerability / Security Analysis to Fiddler through add-ins.


Please leave suggestions/ideas in the Discussions Area. If you'd like to join the development effort, send me a note.

Why a .NET Based Security Analysis PlugIn for Fiddler?
The Initial ViewState Decoder plug-in for MS Fiddler simply combines some code from an MSDN article on ViewState written by Scott Mitchell @ with the MS Fiddler plugin architecture to simply extract and display decoded ASP.NET VIEWSTATE Data in MS Fiddler. I spent about an hour on this so I suspect it will have some kinks to work out.

The goal simply was to understand the MS Fiddler Plug-in architecture and integrate a simple feature quickly to see what sort of effort it would take to build plug-ins for fiddler. It turns out to be incredibly easy.

Going forward, I'd like to collect a list of common features from the community.

Some initial ideas are as follows:
  • Site Spider (perhaps combined with some of features listed below)
  • XSS / CSRF Detection / Testing
  • SQL Injection Detection / Testing
  • Session Tampering
  • Brute Force Tool
  • Information Leakage Detection
  • ??

Why enhance MS Fiddler instead of contributing to WebScarab? Well, I personally don't normally like to re-invent the wheel - but WebScarab UI has much to be desired and isn't built on a platform where I'm the most comfortable. MS Fiddler ties into the Windows Platform meaning:
  • Direct access to X509 Certificate Stores- making SSL/TLS decryption seamless easy configure
  • Supports decryption of sites using Client Certificates / SmartCards.
  • Can directly reset the WinINET Cache
  • PlugIn can be built in any language that targets the CLR (C#, J#, VB.Net, IronPyton, PHP(Phalanger), F#, Ruby.NET, Perl for .NET, etc.)

And anyway, I'm not re-inventing MUCH. Fiddler already has:
  • Uncompress/deflate HTTP traffic
  • Build-in text encoding/decoding tool (Base64, URLEncode/Decode, HexEncode, To/FromJSString, HTML Encode/Decode, UTF7 Encode/Decode)
  • Simple plug-in architecture on a platform I'm already very comfortable on.
  • Lots of internal Utility Methods accessible to plugins.
  • Rule and Scripting System for including/excluding/tampering with Traffic
  • User/Agent Modifications
  • Image Viewers, HTML Rendered Viewers
  • Can search across multiple HTTP sessions to find items of interest (in the UI or programatically)

Since Java and C# (or J# even) are close relatives (sorta), I suspect both projects could still contribute code to each other.

Please leave suggestions/ideas in the Discussions Area. If you'd like to join the development effort, send me a note.

Last edited May 22, 2009 at 10:37 PM by jmonty, version 38