Because most of Fiddler’s Inspectors do not function well with encoded content, when an encoded Session is selected, a yellow button will appear above the list of Inspectors. Clicking the button will immediately remove all encodings from the request or response.
You can remove encodings from both the request and response simultaneously by right-clicking the Session in the Web Sessions list and choosing Decode Selected Sessions from the context menu. Similarly, enabling the Decode option in the toolbar will automatically remove all encodings as Fiddler reads requests from the client and responses from the server.
134 | Inspectors
W E B F O R M S
Type Request only
Allows Editing Yes
The WebForms Request Inspector parses the request’s query string and body for any HTML form-data. If a form is found, it is parsed and the name/value pairs are displayed in the grid view. For instance, the following request:
POST /sandbox/FileForm.asp?Query=1 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: www.fiddler2.com
Content-Length: 54
2=Data%3e123&fileentry2=a%2etxt&_charset_=windows-1252
…is displayed as follows:
This Inspector works best with application/x-www-form-urlencoded data used by most simple web forms.
Support for multipart/form-data forms, commonly used for file uploads, is limited to display only. To modify a file upload, use the HexView Inspector instead.
135 | Inspectors
W E B V I E W
Type Response only
Allows Editing No
The WebView Response Inspector allows you to view responses in a web browser control, which provides a quick preview of how a given response may appear in a browser. The web browser control is configured to prevent additional downloads when rendering the response to prevent muddling your Web Sessions list-- this means that most images, styles, and objects will be missing from the displayed content. Additionally, scripting and navigation are blocked, providing a read-only preview of HTML pages.
Beyond plain XHTML and HTML, the WebView Inspector is able to render several additional media types if IE8 or later is present. If IE8 is present, the Inspector can render any binary image (png, jpg, gif, etc) smaller than 24kb. This limit exists because the Inspector uses a Data URI to render the image, and IE8’s Data URI length limit is 32kb, which is equal to 24kb of binary.
When IE9 is present, the Inspector can display images up to 1.5gb in size. Additionally, it can display SVG docu-ments and will generate preview pages for WOFF, TTF, and EOT font files, MP3 audio files, and h264 video files. For instance, inspecting a WOFF file will generate the following display:
When previewing an audio or video file, an “AutoPlay” checkbox appears at the top-right of the tab. When this box is ticked, media files will automatically begin playback when loaded. When unticked, the media will be loaded but will not begin playing until the play button is clicked inside the preview.
136 | Inspectors
XML
Type Request & Response Allows Editing No
The XML Inspector interprets the selected request or response body as an Extensible Markup Language (XML) formatted string, showing a treeview of the XML document’s nodes. If the body cannot be interpreted as XML, the treeview will remain empty.
Each XML element is represented as a node in the tree, and the attributes of the element are displayed in square brackets after the element’s name.
Unlike most inspectors, the XML Inspector is able to render the data even if the request or response is compressed or has HTTP Chunked Encoding applied; you do not need to remove the encoding to display the content.
The treeview’s context menu offers two options: Copy, to copy the selected node to the clipboard (or press CTRL+C), and Send to TextWizard, to send the selected node’s content to the TextWizard window for encoding or decoding.
The Expand All button in the footer will expand all nodes of the tree, while the Collapse button will collapse all nodes of the tree. The XML tree will be automatically expanded if the body contains less than 2000 nodes; for performance reasons, you will have to manually expand the tree for larger documents.
Extensions
138 | Extensions
O V E R V I E W
Fiddler’s rich extensibility model enables developers to add powerful new features to Fiddler via easily installed add-ons.
Popular 3
rdParty Extensions
Independent developers have built many Fiddler extensions, some of which are listed in the directory at http://getfiddler.com/addons. At the time of this writing, the most popular 3rd-party extensions enhance Fiddler’s ability to test the performance and security characteristics of web applications.
Performance Add-ons
On its own, Fiddler can be used for many important performance-analysis and optimization tasks, but several extensions add even more power.
neXpert Performance Report Generator – Written by a Microsoft Online Services testing team, neXpert will evaluate your websites’ adherence to performance best-practices, generating a report which flags problems and recommends solutions. License: Freeware.
StresStimulus – This load-testing extension permits you to record and run load-test scenarios against your website to evaluate its ability to scale to handle large numbers of simultaneous users. License: Free trial.
Security Add-ons
Many Security testing goals can be accomplished with Fiddler, and Web Security experts have built several powerful add-ons that enable even novices to discover and resolve security issues.
Watcher – Developed by the Casaba Security team, Watcher is a “passive security auditor” which observes a browser’s interactions with your site. The tool scans requests and responses, flagging potential security vul-nerabilities. This powerful tool is used by professional security penetration testers to evaluate major sites.
License: Open Source.
x5s – Another add-on from Casaba Security, x5s evaluates your website’s vulnerability to cross-site scripting bugs caused by character-set related issues. License: Open Source.
intruder21 – This add-on enables fuzz-testing of your web applications. After you identify target requests in Fiddler, this extension generates fuzzed payloads and launches those payloads against your site. License:
Freeware.
Ammonite – This add-on detects common website vulnerabilities including SQL injection, OS command injection, cross-site scripting, file inclusion, and buffer overflows. License: Free trial.