Security Vulnerability Analysis PlugIn Project for Fiddler

5:38 PM j. montgomery 1 Comments

I've been running the SANS DEV544 Course Twitter account @SANSecDotNet for about a week now and was asked a simple questions by @competentgirl about the differences between WebScarab and Microsoft Fiddler Web Debugger.

I've used both on occassion, but never considered them similar - mainly because I just use Fiddler all of the time since most of what i need to do is decrypt SSL/TLS traffic with client certificates (Smart Cards) to view the HTML as well as the HTTP Headers...so I did a quick comparison of the latest version of each since it had been a while since I had looked at either or even really compared them. The differences were pretty obvious - they do a lot of the same things, except fiddler doesn't have any security analysis capabitlities (no Fuzzer, XSS/CSRF detection, etc) - it's main purpose is to help developers debug their web applications. I typically do analysis by hand using Fiddler and a web browser. I had just recently noticed that fiddler had a Plug-In architecture that allows .NET dll's to be run within Fiddler. I couldn't resist and quickly built a proof-of-concept plug-in that decodes/deserializes all items within the ASP.NET __VIEWSTATE form field. Needless to say, I've got a ton of ideas now....if only I could find the time to implement it all.

You can find the project on CodePlex: under DnSecAnalysis.

I rarely find free time lately - I'd love for others to get involved. If you're interested in contributing to this new project, drop me a line.

1 comment: