Use Fiddler to monitor network traffic of the app. It can also do HTTPS traffic decryption
So I use Fiddler extensively for work and the way .matt is talking about it makes it sound like he doesn't know what he's talking about either.
>This isn't EGS enumerating processes, this is literally how tools like Procmon and Fiddler work, they have injected themselves into the running process. > ...
>This is how shared libraries work on Windows, and once again in this example he is showing Fiddler which is something he has injected into EGS, nothing here.
Fiddler is an HTTP debugging proxy. It doesn't "inject" itself into running processes at all. All it does is act as a man-in-the-middle proxy server so that it can inspect outgoing HTTP requests. That's it. Web traffic gets routed to it and then you can inspect it using the various views it offers, so you can see requests and responses. It can optionally be configured to debug/inspect HTTPS traffic as well, but you need to install a special root certificate in order to do this, otherwise the data remains encrypted and can't be read. I guess maybe .matt is just trying to simplify this explanation by saying it's being "injected" purposely?
That said, the screenshots being shared do look seriously misleading. If he's using Process Monitor to show that Fiddler is doing something, well sure, it's being used to inspect HTTP traffic from the Epic Launcher, but that's not nefarious behavior, that's exactly what the person running Fiddler wanted to do.
Well, if it's a keylogger then it's sending data to the outside, I would just log all traffic for a while and see if I can find something fishy.
For specifically this issue, I would probably use fiddler: https://www.telerik.com/fiddler
But if you have a suspicious process and you want to see what it's doing, you can preview it with https://www.hex-rays.com/products/ida/support/download_freeware.shtml to see if it's storing all keystrokes maybe or something.
Not sure what your goals are, but if you use the browser based streetview and inspect your network traffic with a program like Fiddler you can see that each scene fetches 20 .jpg's. These images do not have the embedded street names.
You can save the images directly from fiddler and/or probably whip up a script to capture and catalog them as you "drive" streetview.
EDIT: You can also view the raw images fetched by Google Earth with Fiddler.
Well when a flash file is embedded on a website (tested it with Chrome but Firefox and IE are probably affected as well), a referrer is sent.
When a client is opened with flash projector, a referrer is not sent.
> it would be limited and temporary.
I don't know what is meant by limited.
Temporary, yes, hackers may find a workaround if DECA begin to block embedded hacked clients.
>I think it’s not possible.
It's 100% possible to detect embedded hacked clients, like the one found on R***mStock. If you want to test it yourself, Fiddler is a free tool that will log HTTP/HTTPS requests.
Anyways, speaking as an slightly experienced web developer, it would be very easy to write a script that searches through server logs and collects every login made with "059client.swf" in the referrer, and then issue a huge ban wave.
I usually use Fiddler for web-based stuff like this. It basically acts as a transparent proxy and can set itself up as a MITM for TLS traffic so you can see the unencrypted data as it happens (requires temporarily adding the fiddler root to the OS's root trust store).
Their new Fiddler Everywhere version that I've only very briefly touched seems to be missing some key features from the old version they now call Fiddler Classic. In particular, the old version was able to target requests from a specific process rather than just intercepting everything the machine is doing. So you could point it to a particular PowerShell window and not have to wade through things like OS telemetry, Outlook checking mail, Slack, etc.
When you launch the game it opens an unencrypted connection to ping.yoyogames.com on port 443 with a zero length body. I'm pretty sure every Game Maker (2.0?) game does this.
It could send stuff later in the game, I only looked at traffic through to shortly after character creation.
You can easily check for yourself with Fiddler.
This is true, they are trying to address it with a plugin but it still requires the developers to use it and release a new version which doesn't appear to be happening in many cases, if you want to see what web requests a game is making Fiddler can do it, make sure you enable HTTPS capture.
Resource Monitor is part of Windows and has Network tab dedicated to it. It's not exactly the best, nor does it keep logs, but might be all you require is to see, at any given moment, what programs are using your network.
I know us programmers like to use Fiddler, but that might be a bit advanced for the average user.
There are 2 ways that sites can identify a browser:
By User Agent
To modify the user agent that's been sent in http headers, you can use a proxy like Fiddler to intercept and change what IE is sending:
https://www.telerik.com/fiddler
​
By feature set
If the site is detecting that you're using an older browser based on it's lack of support for specific features, there's not a lot that you can do.
Instead of altering the games binaries a more common approach to debugging an encrypted network protocol is to use a logging proxy with a custom root CA. For HTTPs traffic there are tools like mitmproxy / mitmweb or Fiddler.
Some analysis on the data being sent in this whole thread here
You can see it yourself by looking at your logs and running an app called Fiddler - https://www.telerik.com/fiddler
TLDR: It's a combination of retrieving friends lists and online status every 10-30 seconds and from memory the contents of your Oculus library likely related to updates (less frequent)
Edit: 5Mbps seems unusually high. Is this constantly or in bursts. I measured stuff recently for the Quest and my gaming PC and never saw this volume of traffic. I was getting maybe a total of 15MB uploaded over a 4 hour period.
Fiddler also supports simulating slower networks, but it may be overkill for your setup. But it's a great testing tool overall, especially if you're doing a lot of web application testing via a browser.
I'd probably load up Fiddler, point it at your PowerShell process, and look at the raw HTTP response from the API when it fails for you (optionally copy it here as well). There might be something funky like double encoding happening where the response is being parsed, but the resulting object is just a single string value that's another embedded JSON string or something like that.
Theoretically this should be possible on Mac as well. You'll need to download this older version of iTunes for Mac. You'll also need to download a web proxy app. Fiddler (the tool mentioned in OP's post) is available for Mac; however I have never gotten it to work. Charles is another debugging proxy that has similar functionality. It is a commercial app, however you can download it and use it for 30 days without paying. I'll see if I can come up with a set of directions on how to do this on Mac using Charles.
I'll add that if you don't want to use an external solution you can use Fiddler. It creates a local proxy and captures all web traffic. I use it to hack into API's that are not documented. It has helped me find the quirks in a call that works from Postman/Web browser and what the call from PS ends up looking like.
​
Yeah, those are probably the best modules for it. You can use your browser's developer tools or a local debugging proxy like fiddler to see what requests you need to send in the first place.
It's not breaking SSL encryption. Basically the company owns and manages the employee computers, so they can preconfigure them to add a trusted root CA that they own. This trusted root CA can basically be used to MITM all SSL traffic.
For example: https://security.stackexchange.com/questions/33976/man-in-the-middle-blue-coat-proxy-ssl-or-what
You can do a little test on your own by downloading and configuring Fiddler. It works similarly. I used to use it to decrypt SSL traffic on mobile devices that I was doing development on. You just have to configure your phone OS to trust the Fiddler cert first.
Edit: Actually not "all" traffic. Clients that use cert pinning can prevent this type of MITM.
The launcher is powered by the FiddlerCore library, which is a proxy that lets you modify HTTP requests. It uses it to intercept and reply to Wii U USB Helper's requests. However, without a trusted SSL certificate, programs will fail to make any HTTPS conenctions while the launcher is running, which would not be very convenient. You can read more about it here.
This warning is there to make users aware of what they're doing, as this could be easily abused by malware. If you trust the origin of the software, though, there's nothing to worry about.
For anyone running Windows, The Fiddler: https://www.telerik.com/fiddler is one of my favorite interception proxies because it's pretty easy to get started with and due to its jscript engine, scales as you grow. It's also one of the few that allow you to tamper at the protocol level which is pretty handy. One word of advice, however, make sure you understand what you are doing when you decrypt traffic and be wary of allowing remote computers to connect. It's pretty easy to configure it in a way that causes network bridging. As an example if you are running The Fiddler with allow remote computers to connect enabled while on a VPN, you'll bridge the VPN network to whatever network you are on and if that's your home network, that could cause issues if you don't have secured devices on that network like media libraries and whatnot.
if you're not already, you should be using Fiddler to check if your JSON is being formed properly as well as to investigate the response from the remote host I've made several Power API functions just by using fiddler to form the JSON, https://www.telerik.com/fiddler
Fiddler has no integration with VS - it's standalone application (also you need to choose Classic version - https://www.telerik.com/fiddler/fiddler-classic ). It check all incoming/outcoming connections on PC and also can install Root certificate to decrypt HTTPS traffic.
I've never used selenium. Maybe it's just the user agent. Use fiddler to see what's going on the http request that changes when you use a headless browser.
But it is probably the user agent.
Just tcpdump. It's not the quick visualization one's after, but quickly editing the filter, jumping between interfaces, juggle with different filters in multiple screens at once etc.
Wireshark is just far too clumsy in that regard, EXCEPT when you need traffic dissectors (by that point you're past juggling usually). And even then, you usually end up with something more high level, like Fiddler.
>Then you can use Charles proxy to inspect the http traffic to find the URL of their files repository.
gotcha, I wil look into that, thanks!!
sounds similar to this FIDDLER tool that i just found, so hopefully one way or another we can capture that.. https://www.telerik.com/fiddler/fiddler-classic
thanks
Someone has replyed with this: (
There are 2 ways that sites can identify a browser:
By User Agent
To modify the user agent that's been sent in http headers, you can use a proxy like Fiddler to intercept and change what IE is sending:
https://www.telerik.com/fiddler
By feature set
If the site is detecting that you're using an older browser based on it's lack of support for specific features, there's not a lot that you can do. )
So looks like Ill just have to use a phone or try to persuade someone to let me install the top one if it would be allowed.
Thanks timtucker_com
Sure. The process was basically:
Rinse and repeat for the functionality you want to add.
Back in 2017, I took a job as the Engineering Manager at a startup and I needed to learn WebAPI in a few days. This Pluralsite course really helped, although It's a bit dated now.
/u/FMJ_Strike mentioned Postman. It's an extremely useful tool, but note this line in the Postman EULA:
>> We collect information about you when you use our Services, including browsing our websites and taking certain actions within the Services.
So naturally, your cybersecurity people at work are going to freak out at what that means. Either be prepared to defend why you need to use Postman or use an alternative like Fiddler or Postwoman/Hopscotch.
I'm a bit short on time so I cannot test this at the moment but I think Fiddler (https://www.telerik.com/fiddler) should be able to help you here. It's a proxy server to debug HTTP connections. It also allows HTTPS inspection and you can set the allowed protocols in Fiddler's options under Edit -> Options -> HTTPS -> Procotols. If you remove everything and only keep "tls1.2" then Fiddler should block traffic that is not using TLS 1.2.
For this to work your application needs to support a connection through a proxy though.
An easy way to test whether your setup will work is to use curl for example, you can tell it to explicitly use TLS1.0 for example - that way you can check if Fiddler is indeed blocking that connection.
Fair warning, I didn't watch the video, but I can see why you're not seeing an error in the console. Looks like you're swallowing your error. You're catching it with the "catch(e)" statement, but you're not doing anything with it once you do.
Try adding something like "console.error(e)" inside your catch block. That'll log out whatever error you're catching.
Also, for things like this, I use Fiddler which gives you a nice way to see all the HTTP requests and responses that are going over the wire. If the API itself is giving you an error, you'll be able to see it in Fiddler.
If it’s free, you are the product. You dont need to worry. Windows does behavior monitoring in real time out of the box. If you are interested in learning, look at Sysinternals and fiddler.
You don't always need an API, yes it makes it easier, but it isn't always needed.
Tools like Fiddler can help, or your Web Browsers Debugging tools can also see what requests are being made so you can track what's going on.
First check is whether the game uses certificate pinning. Install Fiddler https://www.telerik.com/fiddler and run the SSL proxy setup. This generates a self-signed CA which you need to install on the device running the game.
Next, you set a proxy on the game device to point to your Fiddler install. Run the game and Fiddler will MITM the connection and let you see the traffic.
If the game uses certificate pinning it'll reject the Fiddler proxy SSL cert because it knows it's not the correct one. Then you'll need to maybe look at dumping the game's process space and hunting for the key. Pretty sure (not done this in a while) there are tools out there to find likely keys from a process memory dump.
I think Fiddler (https://www.telerik.com/fiddler) has been the de-facto network proxy and debugger for more than a decade. I don’t know how it is since the Telerik acquisition other than that I have not heard anything negative about it lately.
I can't really say anything about the possibility of this somehow being used as a backdoor rootkit because anything can be reverse engineered to be malicious. Riot does have security researchers helping them out: https://hackerone.com/riot . Regarding the privacy issue I have tested to see when vanguard sends requests outside of my computer using Fiddler and so far it's only sent data when the valorant game client is running.
So in my case at least, it does seem to be the source of the data usage. 3 days+ now and I've only seen <300MB daily vs. the 20-30GB (both idle usage) that was being churned through. Unfortunately, it looks like the force stopping of News only works until the next restart/power cycle so it's something that has to be kept on top of.
In terms of finding what the kindle is using, I used Fiddler https://www.telerik.com/fiddler and setup the Kindle to use it as a proxy so I could see the calls that were being made. After that it was a waiting game to see the News app seemingly start to misbehave. I'm not sure why it may effect some tablets and not others, I have 2 Fire HD 10 so it may be Fire OS version specific.
You can view https encrypted traffic by generating and installing a certificate using Fiddler. I do this with an iPad when I want to troubleshoot an app I support to see what calls are being made.
At a high level here is what I do: -Use my laptop as a hotspot -Connect the iPad to the hotspot -Go into the network connections on the iPad and add the laptop IP and port 8888 as a proxy -Use a fiddler plugin to generate a certificate -Install the certificate
Now you can see the the unencrypted traffic in fiddler.
Here’s step by step instructions for setting this up on an android device.
Try Fiddler: https://www.telerik.com/fiddler
You'll need to set it up to work for HTTPS; it should prompt you during first run, or it's in the settings somewhere. There are tutorials out there. It's wicked easy to do though.
Once it's running, you'll start seeing all the background traffic on your PC being logged. Including whatever Windows, Chrome, or any other apps are doing.
Another free tool that is similar is called Fiddler2. Given the volume of plugins available you can get somewhat close to the functionality of Burp but Burp is definitely one of the best tools for this type of work. https://www.telerik.com/fiddler Hope this helps.
Not many options here.
1) Your PC is compromised in some way. (Virus, Keylogger, etc.) The solution here is to completely wipe the PC and reinstall your OS. That is the only way to ensure you get it completely clean. However you say you've already done that. However, did you test before reinstalling your applications? If not then you could have just reinstalled the problem.
2) Someone with access to your info is doing it. Most likely option given your scenario.
3) There is some sort of unpatched facebook exploit someone is taking advantage of to bypass your login. Less likely but possible. Absolutely nothing you can do other than not use facebook.
4) Someone has access to your email and phone and is resetting your credentials ( see option 2)
5) Your passwords are too weak or are reused. Sounds like we can eliminate this one.
6) Someone on your network using a sniffer such as Wireshark or Fiddler. If they have access to your PC, they could easily install a certificate to bypass any network encryption.
In windows to route all your traffic through tor, you can use proxifier each route all TCP traffic except ndis 6.x and for that you will also need fiddler and then use proxifier to route all traffic made by fiddler, you should disable UDP traffic on the Firewall and/or router, you should also make some traffic types like torrents, direct url to videos and images to go direct on proxifier traffic rules so it will be a more pleasant experience and faster experience.
Locally stored.
I'll make it very easy for you - the app has no servers currently :)
If you really want to make sure yourself, use this very easy to use web sniffer.
Try installing something like Telerik's Fiddler if you want to see what applications are generating http traffic and in what context. It's possible your app is doing something odd. You can tell for sure with Fiddler if it's different from what other apps are doing.
If you're on Windows, personally I think Fiddler is the superior and more user friendly tool, and it has the same feature to throttle network speeds. Also, Fiddler is free.
Check PowerShell versioning, I would also suggest Fiddler as it can help ALOT when working with Website RE.
Feel free to DM me whenever with questions reguarding it :) I do a lot of PS with Websites at my job for all sorts of inhouse software, just to shill myself here are some I've made I have a few others I am not allowed to post as they are considered company property not mine though :9
You can use Invoke-WebRequest to emulate many process you would do in a web browser. Fiddler can help to see what the expected Requests and Responses should be.
The custom apps can be a bit more complicated. If they don't have API's, REST, or standard connections it can be a bit more difficult. You can use most any .NET calls directly in PowerShell.
You can use .NET.Sockets to do raw network calls if there is no other choice; use a packet capture to see what is sent and expected.
Personally, I like Fiddler for debugging PowerShell web stuff like this. Open it up, drag the Any Process
target icon thing to your PowerShell window so it only captures things coming from it. Then it basically proxies all incoming/outgoing web requests from that session including HTTPS stuff. So you can see exactly what you're doing and what the server responds with.
Use a web debugger like fiddler or just google chrome dev tools -> network -> record. Now click the button and you will see the request. If you need more help don’t hesitate to dm me.
As devs, we do this all the time. There are all sorts of tools that help you peek into traffic, which is necessary for testing and debugging systems. Be forewarned, mitm is involved but something a patient person can easily do. For your phone, check into the mitmproxy tools. For your PC, check into Fiddler. For generating predictable traffic (to assist you in learning these tools) check into postman. It takes a bit of doing and allot of learning, so you will be best served by viewing vids on your fav video site.
In terms of security stuff, you could test that
You may also want to ask them about their tools, like if they use things like Fiddler (for network request inspection) or JMeter (for load testing)... You could even ask them about their collaboration tools, like what do they use to maintain test cases? How do they file bugs? Do they use JIRA for tracking sprints, or Confluence for maintaining a knowledge base/wiki?
>Does 'China owned' instantly mean 'not trustworthy'?
Well, I can't describe how much chatty my OnePlus 5 was with the Chinese IPs when I first bought it.
Good thing I rooted it on first day & setup the firewall & removed much of bloatware.
None of the apps can communicate via network until I allow them to do so.
DYOR & install fiddler to see all the ip ranges your Opera connects to when you visit a website.
Pingplotter Pro . It's like a graphical traceroute that can use ICMP or TCP ports. Great for seeing where your packets are really going. You can leave it running for days and see how things change over time.
​
Fiddler for proving it really is not the network that is at fault. But F12 and the network tab are useful when you just want a quick look at what is going on. Sometimes you need to get an application level view to troubleshoot problems.
​
​
​
1) Download fiddler https://www.telerik.com/fiddler 2) Run Fiddler 3) Click Tools-->Options--> and Select Capture HTTPS Connects, Decrypt HTTPS traffic 4) ensure ...from all processes is selected 5) Select Actions button 6) Install Fiddler Root & Intermediate certs (this may invoke UAC prompt depending on your setup) 7)Select Protocols, make it tls1.0;tls1.1;tls1.2 8)Ok 9)Validate you can see HTTPS traffic 10) Open Steam 11) Get URLs
Easy-peasy lemon squeezy as my six year old says
Does $query
contain a valid Incident_Number?
I would also suggest installing Fiddler to see what is actually happening. Likely their support will ignore anything you ask them with out the raw XML/HTML calls.
Yeah, I don't have anywhere near the performance issues you're having regardless of being in the office or at work. FF/Chrome here, Modern only.
Use your browser's network trace tool or Fiddler to help determine what is slow. Make sure with Fiddler you do SSL decryption. This should help your case with Microsoft, as well.
There's also:
To be honest I'm not sure what Charles does that is worth the $50. I bought it back in the day as a client used it for their automated testing, and have just stuck with it.
HTTP View is free too. There there will be a paid pro version in future, but the core feature set is free forever.
In terms of advantages over Fiddler, it:
Fiddler is an interesting comparison, because right now you're right it does definitely have more features - it can do request rewriting already, for example.
In the overlap between the two though, HTTP View is much more powerful, modern & easy to use, and I'm planning to cover and expand on more or less all the features of Fiddler in time. That'll take a while of course, but it's open source, so do feel free to join in and help it catch up :-).
It is not useless. If you use an adblocker, you are giving one more company access to your entire browsing history. When you use the Ad Blocker, have you used Fiddler or similar to view the information that is being collected on you? Some Web / Adblocking companies collect your browsing data and sell as clickstream, graph, or demo / in-market data. On my phone and on browsers, I am very aware that every extension can have 3rd party partnerships to basically double dip. Either ad revenue + user data, or paid fees + user data. This is not for you, but it is for those that are very selective with what extensions they add. I shared the source code further down in the comments.
I'm going to remove this thread because this isn't a networking issue. This is a software issue.
But I wanted to provide you some info & guidance first:
Your developers suck. Kick them in the ass and push them to do their jobs better.
Tools like Fiddler and Google Chrome's Developer mode can help expose these problems, but your developers aren't using them.
The question here IS NOT "What is wrong with the network?" the question is "Why is this application so sensitive to imperfect networks?"
The answer is probably that their initial page loads are too large. If the web page/application is delivering 10MB of content to help the initial page load then this will work fine for visitors on big fat internet connections. But this will work very poorly on DSL or 3G connections.
You and your dev team need to dig more deeply into what is happening that causes these client errors and stop wasting time on network diagnostic tools.
Good luck out there.
The template itself and the data passed to it are not sent as part of the response except if you render it as part of your template. So you can safely pass a user-object with secret properties to the template, as long as you don't render any of the secret properties in the template.
If you have doubts, it's a good exercise to look at the raw request (or as close to it as you can get). An easy way to do this is to use your browsers developer tool network log, use a tool like Postman or Fiddler, or just by running curl
with the verbose -v
flag.
My advice - install fiddler, configure to decrypt https, watch the conversation. Fiddler makes it pretty easy to see what webcalls are being made, and how they are doing, its very possible that autodiscover is stuck in a loop, or is making a call somewhere that isnt responding and timing out, or somewhere that is responding with data that isnt of use (incorrect responses, like from a web proxy). Fiddler makes it stupid easy to see which is the case, with that information, you can then somewhat easily tell where the problem is, if its DNS, or if its routing wrong, and make the most appropriate fix. Everything else is just guess work. :)
For reference for what web calls are made, and in what order, refer to this: Outlook 2016 Implementation of Autodiscover. This has all of the webcalls, and if needed, the reg keys to disable each individual web calls.
Surely there's a way to limit the data - can't you just write a SQL query, i.e., SELECT * FROM TableName WHERE ColumnName = 'Blue' ?
Load up Fiddler on your computer while using Direct Query mode to see what queries it is generating behind the scenes.
Play with Fiddler if you get a chance.
There's a terrible app that people in my environment want to use for some reason. I'd already done the dance once where infosec (that's me) gets blamed, but I was able to show it wasn't us. The second time I was tired of this abomination and deep delved an hour or so with Fiddler.
The problem was it was returning a cert error when the user tried to login. Failed on our network, worked off our network. Weird. Our proxies (which is infosec domain) are a bit funky sometimes, so it's possible it's us, but my past experience with this app made me think it was at fault. I looked at it in Wireshark and it all looked good... the cert request, response, all gravy. What's going on here?
Looked at it in Fiddler. Turns out, it was making a few requests with DNS (say, login.domain.com). After making the request to login.domain.net it switched over to login.domain.com's IP address, fuck knows why. So once it stopped using DNS and starting using IP, the proxy was flipping out because the cert was issued to login.domain.com, not 1.2.3.4 - therefore, cert error.
I used Fiddler to modify all outgoing requests destined to 1.2.3.4 and change the destination to login.domain.com - BAM, app worked. Documented everything then kicked it back to the on site tech and told him to escalate it to the vendor (even included pretty pictures and a .pcap file so their monkeys who pretend to be devs can figure it out), issue was solved by them in a few days.
Next time this happens I'm going to bill them -_-
Wireshark is definitely an amazing, invaluable tool, but sometimes you need to muck around above layer 4.
Others have done a good job of answering your question, I wanted to mention something I found out about recently for debugging html and api calls.
A program called Fiddler. You can use it to monitor and see the traffic between you and the site you're communicating with along with the data being returned.
that page uses websockets to transmit the data which is not like a regular page. I've written pages using websockets but I've never scraped the data from a professional one. In some ways it should make it easier to code once you have the details of the websockets in use. But getting the details is a bit harder.
I'd probably look at using Fiddler on a PC to watch what's happening on the page. It can show you how the websocket data is being transmitted.
It might be worth reading how websockets works first so you know what you are looking for.