Using Fiddler to view HTTPS data when consuming a service from a WCF Client

There might be an instance during your development period or early testing period to see the data that is going over the wire when you send something over HTTP or HTTPS protocol. There are many tools in the market to sniff through the wire and show you the entire raw message that goes through and comes in. This is otherwise called as Man in the middle attack. As a simple case, You have a WCF client that has to speak to a third party webservice which is hosted using HTTP protocol. All you have to do sniff is to add a proxy address in the binding of your WCF config file. This will route all the messages via the Fiddler.

However if the third party service is hosted using HTTPS protocol and a certificate is attached to it, then it is little bit complex. When you follow the same process, you will get the below error.

Could not establish trust relationship for the SSL/TLS secure channel with XXXXX

In the inner exception you will get The remote certificate is invalid according to the validation procedure

This is because for the WCF client, fiddler act as a service provider and the certificate that fiddler provides is not present in the Trusted Root Certification Authorities.

You can read this URL to have a better understanding of what happens under the covers when you use fiddler.

http://www.fiddler2.com/fiddler/help/httpsdecryption.asp

I will describe the steps that is required to to use Fiddler in a WCF service.

1. First download and install fiddler if you dont have it.

2. After it has been succesfully installer, go to Tools-> Fiddler Options

2.1 HTTPS Tab :

Check if Capture HTTPS CONNECTs and Decrypt HTTPS traffic is enabled.

Click the button EXPORT FIDDLER ROOT CERTIFICATE TO DESKTOP. This will export the fiddler certificate to the desktop. ( I will tell you how to add this certificate to the certificate store.)

2.2 Connections Tab:

In the fiddler listens on port textbox, provide 8888 as the port number. If this port is already used, then give a port number which is not used.

After making the above changes, click OK.

3. Now open a browser and type http://localhost:8888 ( or the port number that you have given in the connections tab). This will initiate the fiddler service.

4. Go to your WCF config file and add a new binding. Within that add a custombinding and choose httpstransport. The config should be like this.

<bindings>
<customBinding>
<binding name=”SampleBinding”>
<httpsTransport maxReceivedMessageSize=”62914560″ authenticationScheme=”Anonymous”
maxBufferSize=”62914560″ useDefaultWebProxy=”false” proxyAddress=”http://localhost:8888
proxyAuthenticationScheme=”Anonymous” />
</binding>
</customBinding>
</bindings>

You would then add this binding to the client section.

<client>
<endpoint name=”testEndpoint”
address=https://testing.madurai.com:22043/webservices/goldApplication
binding=”customBinding”
bindingConfiguration =”FISBinding”
contract=”NavarathnaMaligai.MA.BizTalk.GoldApps.IGoldApplication”
/>
</client>

This would make the traffic from the service go via the Fiddler. However as I said before you will get the following error.

Could not establish trust relationship for the SSL/TLS secure channel with XXXXX

In the inner exception you will get The remote certificate is invalid according to the validation procedure

To resolve this, all you have to do this is,

Import the certificate that we have exported in step number 2.1 to the Trusted Root Certification Authorities. Also when you should import this to the Computer account and not the user account.

Shankar

Advertisements

2 thoughts on “Using Fiddler to view HTTPS data when consuming a service from a WCF Client

    • Hi Surya,

      Ideally you shouldn’t use this in Production environment, because using this would violate Security norms. However if you still want to use it under exceptional circumstance you can follow the same steps as described in the post. As fiddler is basically used like man in the middle attack, you can view almost all network messages from the machine you are intercepting. Hope this helps, if not please let me know.

      Cheers
      Shankar

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s