UCWA - Obscuring confidential data in Fiddler traces

When posting Fiddler traces online it can be hard to avoid sharing confidential information. To get a better piece of mind in the security of confidential data it may be necessary to obscure parts of the data shared online or in demo situations. A few quick ways that come to mind are taking a screenshot of the Fiddler trace and manually blacking (or removing) portions,

posting an edited raw version of the HTTP command, [sourcecode language="text" wraplines="false"] POST https://lync.domain.com/webticket/oauthtoken HTTP/1.1 Accept: application/json Content-Type: application/x-www-form-urlencoded;charset='utf-8' X-Ms-Origin: http://domain.com X-Requested-With: XMLHttpRequest Referer: https://lync.domain.com/Autodiscover/XFrame/XFrame.html Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0) Host: lync.domain.com Content-Length: 73 DNT: 1 Connection: Keep-Alive Cache-Control: no-cache Authorization: NTLM user_ntlm_token

grant_type=password&username=shagman@domain.com&password=************** [/sourcecode]

or sharing nothing at all (most secure, but least useful when trying to get support). I have spent a good deal of thinking on how to achieve this in Fiddler and came up with a solution that allows an obscuring of data for sessions that prompts for saving the result leaving the original sessions unmodified. This magic is achieved with the help of FiddlerScript (part of Fiddler) and use of the Fiddler Google Group.

FiddlerScript

FiddlerScript is an extension to Fiddler using JScript allowing it to be edited and applied without re-launching the application. It is also possible to Extend FiddlerScript with .NET, but I went for the route of creating a few JScript functions to provide methods for obscuring Fiddler traces.

Quick Requirements

Before I get too far into this, I may as well state that in order to make use of the FiddlerScript it is necessary to be using one of the following versions (or later) of Fiddler: v2.4.3.6 beta (.NET 2.x) or v4.4.3.0 beta (.NET 4.x).

Editing FiddlerScript

Getting to FiddlerScript from inside Fiddler is as simple as Ctrl+R or Rules -> Customize Rules...

Each time you Save in the Fiddler2 ScriptEditor it either reports errors (via a MessageBox) or loads the new features. In the case of what I wanted to achieve with obscuring it was to add a contextual menu item, Obscure Selected Sessions, and a menu item (found in the Tools menu under Hosts... / Reset Script), Obscure All Sessions. To add a contextual menu item and menu item it is as simple as:

[sourcecode language="csharp" wraplines="false"] public static ContextAction("Obscure Selected Sessions") function DoObscureSelected(...)

public static ToolsAction("Obscure All Sessions") function DoObscureAll() [/sourcecode]

The logic of the script prompts the user (yes/no) about obscuring sessions and in the case of a yes it will begin processing sessions. In each of the functions the script will iterate over the sessions and make necessary changes and in the case of this script the changes are as follows:

  • Host - Change host name to domain.com
  • Request
    • Replace domain in the following headers: Referer, X-Ms-Origin, Host, and WWW-Authenticate with domain.com
    • Replace Authorization header with Bearer cwt=user_oauth_token
    • Replace password in grant_type=password with **************
    • Replace domain in Body with domain.com
  • Response
    • Replace X-MS-Server-fqdn header with fqdn.domain.com
    • Replace Set-Cookie header with cwt_user_cookie
    • Replace Authorization header with domain.com or NTLM user_ntlm_token
    • Replace access_token (body data) with cwt=user_ouath_token
    • Replace domain in Body with domain.com

After completing the loop iterations the script will attempt to save the now obscured sessions to a file, which can be loaded to see the changes that were made, leaving the original sessions preserved. I have done a bit of testing to see that ~90% of the domain-specific-data is obscured, but there may be cases where it misses a piece. It does not obscure user names as I didn't really see a good use case for it. If all users became users@domain.com it would be near impossible to determine which user was actually performing an action (in the trace).

Before and After

A quick dog and pony show of modifications to expect:

Request Headers Before

Request Headers After

Response Body Before

Response Body After

Just give me the code already...

I have placed the code online here: Fiddler2 Obscure.js. It contains 5 methods that need to be pasted into the Fiddler ScriptEditor. In my instance I pasted the code below the definition of DoRemoveEncoding(...)

Save (Ctrl+S) in the editor and with luck you should have no errors. If you do you will want to upgrade to a later version of Fiddler with the alternative learning some JScript!