Find Proxy Authentication bugs with Fiddler

Over on my other blog, I just posted an article showing how you can use Fiddler to find bugs in applications that don’t expect authenticating proxies.

Fiddler and Channel Binding Tokens Revisited

Just under a year ago, I wrote a blog post about how the new “Extended Protection” feature (also known as Channel Binding Tokens or CBT) prevented seamless decryption of certain authenticated HTTPS traffic when Fiddler is running. The quick recap is that CBT binds a set of NTLM or Kerberos authentication credentials to the “channel”…


Fiddler and Channel-Binding-Tokens

Note: Please see this post for an update. Some users of Fiddler who have HTTPS Decryption enabled have found that some of their internal HTTPS sites that used to work properly with Fiddler now endlessly prompt for credentials while Fiddler is running. Even typing the correct credentials into the authentication prompt won’t fix the problem….