FiddlerCore: HTTP Tunnel Issue - http

I have an application, and I am trying to intercept its requests with FiddlerCore.
Using Fiddler, I see the requests as follows:
https://i.stack.imgur.com/bhUqK.png
(HTTP CONNECT tunnel into HTTPS request)
When using FiddlerCore, I am only seeing the initial HTTP CONNECT tunnel, and the application is not requesting. after that, stating:
Failed to connect to server.
This is the code I'm using in the BeforeRequest method:
if (oSession.HTTPMethodIs("CONNECT"))
{
oSession["x-replywithtunnel"] = "FakeTunnel";
return;
}
And the output from the FiddlerCore program (upon running the application):
https://i.stack.imgur.com/0Fc2q.png
The application is a Java application, which I had to create a keystore for using the FiddlerRoot certificate, and I am wondering if this is where the problem lies.
(Images as such since low reputation)

Solution: FiddlerCore uses a different SSL certificate than Fiddler itself.

Related

Trouble making http request from lighttpd server to pm2 server

Background:
I have my personal website running on a lighttpd server on my raspberry pi. I have that server’s port (80) forwarded so it can be accessed publicly.
I’m in the process of making a project, and I want a node.js service to make requests to from the lighttpd server. I set up pm2 so the node.js server is always running. I have that port forwarded too (5000). I've verified that this server is working via postman and the browser
Problem:
I'm receiving the following error when making requests:
has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space private.
Of note; I have Access-Control-Allow-Private-Network:true in the response header and Access-Control-Request-Private-Network:true in the request header. The only other solution I've found that might fix this is getting an SSL cert for the lighttpd server and using https for it, however I'm struggling setting that up to see if it would work
Questions:
Would getting an SSL cert for lighttpd allow me to make requests to my pm2 server?
Is there a different solution?
How secure is this setup? I don't expect a lot of traffic...

How to use Python requests to connect to a server through proxy when both requires different client certificate

I want to connect to a https server using python requests library through a proxy. The code roughly looks like
response = requests.get(SERVER_ENDPOINT, proxies=PROXIES, cert=??)
My problem is, both server and proxy requires client authentication, and unfortunately different CA is used to authenticate server and proxy. Is there a way to pass two CAs when making a request? The documentation doesn't seem to be very clear on this scenario.
Any help is greatly appreciated:)
Method Tried:
Tried the method as suggested in another link Python requests - how to add multiple own certificates, and bundle certs and keys into separate pem files using the code below:
response = requests.get(SERVER_ENDPOINT, proxies=PROXIES, cert=(CERT_BUNDLE, KEY_BUNDLE))
It seems that only the 1st cert and key is used, so I am able to pass client auth at proxy server, but failed auth at destination server.

Https communication on localhost in IIS using self-signed certificate

I have 2 sites running on the same machine, a client and an API.
Let's say the computer's IP is 10.10.10.10.
The API has a default page when you browse to it, the rest of the API is under 10.10.10.10/api.
The API has HTTP binding to port 80, and HTTPS binding to port 443.
The client has HTTP binding to port 8080, and HTTPS binding to port 64300.
Both HTTPS bindings use a self signed certificate I created via IIS manager.
Both sites have a HTTP to HTTPS redirect using "URL Rewrite".
When I try to browse either one of the apps, it works fine (gives the warning in the browser that you can skip).
When I do some action in the client which involves a HTTP request to the api using one of the following calls I get an error:
http://localhost/api/someMethod
http://localhost:80/api/someMethod
https://localhost/api/someMethod
https://localhost:443/api/someMethod
https://10.10.10.10/api/someMethod
The exception includes this error:
"The remote certificate is invalid according to the validation procedure"
I tried using the method described in this link (add the self-signed certificate to the Trusted Root Certificate Authorities folder) but it won't work.
Help please :D
found the answer.. posting if anyone else will get stuck on it.
It's pretty weird but the only thing that worked was to make the localhost http(s) request using the HOST NAME.
example:
https://the_name_of_the_computer:443/api/someMethod

ASP.Net OData fails with SSL Termination in LB

I have an issue using HTTPS to access an ASP.NET OData endpoint. The ASP.NET site is hosted via OWIN. I am using the NuGet package Microsoft.AspNet.WebApi.OData for the OData (v3) part. The SSL termination takes place outside of the server in a separate load balancer.
Accessing the OData endpoints with a REST-client (e.g. Postman) works fine: https://api.my-domain.com/odata/v3
But when I use an OData-client (e.g. Excel or PowerBI), the access fails with the generic message, that the host forcibly closed the connection.
Further I found that when I access the endpoint https://api.my-domain.com/odata/v3 via Postman, I receive some XML metadata, which refers to the normal http endpoint (see below snippet), which is blocked by the LB.
<?xml version="1.0" encoding="utf-8"?>
<service xml:base="http://api.my-domain.com/odata/v3" xmlns="http://www.w3.org/2007/app" xmlns:atom="http://www.w3.org/2005/Atom">
<workspace>
...
Further I sniffed the traffic from Excel/PowerBI with Wireshark and found that the clients are using the normal http endpoint (as shown in above metadata) after the initial request with https. I am not familiar with the OData protocol details, but I guess the clients are determining the address by the metadata.
For validation I unblocked port 80 in the LB and voila, Excel/PowerBI can successfully connect, regardless if I use http or https for the initial request.
But how to solve this issue (I don't want to allow traffic on http). Is it possible to instruct the ASP.NET OData middleware to generate metadata with https URIs?

Use JMeter HTTP Proxy to record JSON over HTTP request from not-a-browser client

I have a client program running locally in iPhone emulator and local server written in Java. Client talks to server with JSON over HTTP requests. Now I am trying to record a client session http requests with JMeter to use them as a base to load-test server.
The problem is client requests do not go throw JMeter proxy. Client gets 501 "Method not implemented" (it is not because of https, I am using http). There is nothing in JMeter log about the request, and obviously nothing gets recorded in JMeter and the request doesn't reach the server.
There is well-described steps to setup JMeter proxy to record request from a browser, but my client programm is not a browser. Though JSON over HTTP is widely adopted approach, I could not find anything on the web about recording such requests with JMeter. I understand I need to do on the client the same thing browser does when proxying request and what I've found about it is that I need to set Host header to server's host and port, but that did not work and I cannot see how is it related to 501 error client gets.
If someone can explain what should be done on client or how to configure JMeter to let it know where to proxy client's requests or link any manual explaining that, it would be great help. I've been searching for solution for a few hours already and had no luck. Please help.
You can see my question and the answer I got below:
Use Jmeter proxy to record HTTP calls from iOS simulator
In short:
With this tutorial you can record calls from your Android device:
http://blazemeter.com/blog/load-testing-mobile-apps-made-easy
For make same thing with iPhone, do the following steps:
Mac configuration:
system preferences -> Network -> Advanced.. -> Proxies -> check "Web Proxy (HTTP) ->in "Web Proxy Server" field, type your IP (http://www.wikihow.com/Find-Your-IP-Address-on-a-Mac), and choose available port (I using 8080) ->ok -> Apply
iPhone configuration:
Settings -> WiFi -> choose same wifi you use with your Mac -> press on it again to go to it's details -> scroll down ->In HTTP proxy, choose Manual -> server = your mac IP you found earlier -> port = the port you chosen (maybe 8080)
Now You can start recording all "iPhone network out" using jmeter recording controller

Resources