One of the many tasks on any penetration tester’s to-do list is to set up a web proxy for debugging applications. Doing this for the normal browser to server architecture is fairly straight forward. Setting up the proxy for a web browser is pretty straight forward. Unfortunately, when we start getting out of the browser and into thick clients we can start to run into some difficulties. In this post, I will discuss setting up Fiddler to intercept HTTP traffic from the Windows Phone 7 Emulator. Setting up the proxy to use Fiddler is pretty straight forward. The difficulties may arise when the application communicates over SSL/TLS where the certificate is not trusted by a root CA.
To install Fiddler’s root certificate on the emulator you can follow these steps:
- In Fiddler, select “Tools…Fiddler Options…SSL…Export Root Certificate to Desktop”
- Host the FiddlerRoot.cer file in a location that the emulator can browse to (IIS)
- In the Emulator, browse to the address that has the cert
- Tell the emulator that you want to install the certificate
The certificate should now be installed and the traffic should now be intercept-able. It is important to note that you have to browse to the certificate and install it every time the emulator starts. If you are constantly restarting the emulator this can get old pretty fast. I ran into some issues trying to get the burp cert to install on the device, so once I got Fiddler set up, I just had fiddler direct through burp and it worked great.
There may be an easier way to do this, but due to the limited time given during an assessment and the lack of good information online, this was the easiest to get up and going quickly. If anyone has any good tips on setting this up, please share.
In September 2012, Telerik (http://www.telerik.com) acquired the Fiddler product so we can expect to see some great new features being added.
James Jardine is a Principal Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.