Configuring Fiddler to use company network's proxy? - proxy

I'm trying to get Fiddler to work with my company's proxy. Every external request is returning 407.
So far I've tried adding oSession.oRequest["Proxy-Authorization"] = "YOURCREDENTIALS"; to the customized rules where I used my USERNAME:PASSWORD in base64. Still no luck.
Any ideas? Thanks.

What worked for me was much more simpler:
Rules > Automatically Authenticate

Note: There is an answer with a higher voting available. Because of SO sorting it is below the accepted answer.
I had the same problem, too, and solved it like this:
Started Fiddler with it's standard configuration.
Started IE and made a HTTP-request to an external web-site.
The proxy authorization dialogue popped up, where I entered my credentials.
In Fiddler searched the request headers for "Proxy-Authorization".
Copied the header value which looked like "Basic sOMeBASE64eNCODEdSTRING=" to the clipboard.
Altered the CustomRules.js with the following line within OnBeforeRequest:
oSession.oRequest["Proxy-Authorization"] = "Basic sOMeBASE64eNCODEdSTRING=";
So my approach was quite similar to yours just that in advance I checked what kind of proxy authorization the server required by using Fiddler to debug the authorization header. That way I found out I had to add "Basic" before the Base64 encoded credentials and I didn't even have to use the tool to encode the credentials to Base64. Just copied the value from the proxy authorization header.

My Answer is simple. If your company proxy is NTLM, download ,setUp and configure cntlm. Route your fiddler to cntlm port by setting proxy settings.
Done! that is how i configured fiddler in my company

What version of Fiddler are you using?
Fiddler will automatically chain to your organization's proxy, and all current versions of Fiddler support passing of authentication information between the client and the authenticating proxy.
How are you generating the HTTP requests in question? What are the exact HTTP response headers?

http://blog.bareweb.eu/2010/10/http-debugging-fiddler-tip-1/
There's an entry in the "Rules" menu for Requiring Proxy Authentication. Use that and you should get a bit further!

Fiddler should pick up native proxy configuration automatically.

Related

Handle cross domain issue in angular 4 with external API

I am using Postal PIN Code API for getting Post Office(s) details search by Postal PIN Code in angular 5 application. Below is the url of the external API :
http://postalpincode.in/api/pincode/{**PINCODE}**
I am issuing a GET request from the application but it is giving me below error :
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access
Although this request is working perfectly fine from browser and postman. I understand that we need to configure our server with cross-domain policies for accepting cross-domain request but this is an external API and I don't have control over it. How can I resolve this issue?
Thanks in Advance !!
Best: CORS header (requires server changes) CORS (Cross-Origin Resource Sharing) is a way for the server to say “I will accept your request, even though you came from a different origin.” This requires cooperation from the server – so if you can’t modify the server (e.g. if you’re using an external API), this approach won’t work.
Modify the server to add the header Access-Control-Allow-Origin: * to enable cross-origin requests from anywhere (or specify a domain instead of *). This should solve your problem.
2nd choice: Proxy Server If you can’t modify the server, you can run your own proxy. And this proxy can return the Access-Control-Allow-Origin header if it’s not at the Same Origin as your page.
Instead of sending API requests to some remote server, you’ll make requests to your proxy, which will forward them to the remote server.
Here are a few proxy options.
Ref: https://daveceddia.com/access-control-allow-origin-cors-errors-in-angular/

Fiddler gateway proxy username/password

I'm trying to intercept a web application which uses a HTTP proxy (basic HTTP auth password protected) to access its resources.
In Fiddler options, there is a setting for manual proxy configuration. But in that field, I can only define the proxy address and port. I need to define an username/password combination for upstream proxy.
Is there any way to do this?
Your scenario is a bit unclear. Clients should automatically prompt for proxy credentials when a HTTP/407 is received, although many don't.
If your question is: "How can I add a Proxy-Authorization header to all requests that pass through Fiddler?" then it's pretty simple.
Rules > Customize Rules > Scroll to OnBeforeRequest and add:
if (!oSession.isHTTPS)
{
oSession.oRequest["Proxy-Authorization"] = "Basic dXNlcm5hbWU6cGFzc3dvcmQ=";
}
Where dXNlcm5hbWU6cGFzc3dvcmQ= is the base64-encoded version of the "username:password" string. You can use Fiddler's Tools > TextWizard to base64-encode a string.

CORS Access-Control-Allow-Origin header stripped by watchguard

I have a website on www.example.com that uses AJAX to access JSON via a nodejs-API on api.example.com. (Cross-domain!) I need the PUT and DELETE as HTTP-methods, thats why I can't use jsonp, i looked up how CORS works, and implemented that via the Access-Control-Allow-Origin headers.
When i work on my local environment (www.example.dev and api.example.dev) my setup works. My API return the correct headers (Access-Control-Allow-Origin) and I succeed in doing cross domain requests.
When I deploy online, my setup doesn't work anymore, because the headers get blocked by the company watchguard firewall. I could ask to allow my public API, but i'm afraid someone else will have the same issues in his or her restricted environment.
Is there any other way to solve this?
For those interested: I use easyXDM for cross domain messaging. That solved my problem. http://easyxdm.net/wp/

security of sending passwords through Ajax

Is it ok to pass passwords like this or should the method be POST or does it not matter?
xmlhttp.open("GET","pas123",true);
xmlhttp.send();
Additional info: I'm building this using a local virtual web server so I don't think I'll have https until I put upfront some money on a real web server :-)
EDIT: According to Gumo's link encodeURIComponent should be used. Should I do xmlhttp.send(encodeURIComponent(password)) or would this cause errors in the password matching?
Post them via HTTPS than you don't need to matter about that ;)
But note that you need that the page which sends that data must be accessed with https too due the same origin policy.
About your money limentation you can use self signed certificates or you can use a certificate from https://startssl.com/ where you can get certificates for free.
All HTTP requests are sent as text, so the particulars of whether it's a GET or POST or PUT... don't really matter. What matters for security in transmission is that you send it via SSL (and handle it safely on the other end, of course).
You can use a self-signed cert until something better is made available. It will be a special hell later if you don't design with https in mind now :)
It shouldn't matter, the main reason for not using GET on conventional web forms is the fact that the details are visible in the address bar, which isn't an issue when using AJAX.
All HTTP requests (GET/POST/ect) are sent in plain text so could be obtained using network tracing software (e.g. Wireshark) to protect against this you will need to use HTTPS

response message in SOAPUI is displayed encrypted

I try to test a web-service using SOAPUI using a HTTPS endpoint. The problem is that the response message is displayed encrypted. What do I need to configure in SOAPUI in order to see the actual response message?
I tried various settings (e.g. in preferences I tried to set an exported certificate from Firefox), but no luck so far. Note that the security of the web-service is implemented using a username/password mechanism in the SOAP header and the same call works fine on a HTTP endpoint (we have a couple of environments available).
Just had this same problem and found the solution here:
http://www.eviware.com/forum/viewtopic.php?f=5&t=2601&p=10862&hilit=encrypted+response+https#p10862
Basically you need to go into file->preferences->http settings and uncheck the 'Response compression' checkbox.

Resources