3
votes

Is there a way to inspect HTTPS traffic from Flex applications compiled to SWF files?

I'm trying to use Fiddler for this, have added DO_NOT_TRUST_FiddlerRoot to my Trusted Root Certification Authorities so my IE now can access other HTML sites that would normally complain about untrusted certificate. However, the HTTPS traffic from the SWF file still doesn't appear in Fiddler and, in fact, the Flex app wouldn't work (HTTPS with a self-signed certificate is not supported by Flex apps I believe). Is there a way around it?

Update: To be clear, I am interested in the traffic between the SWF file running under Flash Player and the server (typically, Flex components like HTTPService will be used for this). The SWF file itself can be served via HTTP or HTTPS, it doesn't really matter.

Clarification 2: Don't assume that the source code is available for the SWF file. If it was, Flash Builder 4's Network Monitor could be used.

(I am assessing possible security risks for my client just to be clear about my intentions.)

3

3 Answers

6
votes

Try Charles Proxy it works with both HTTPS and AMF. There's a free version with some minor annoyances. To get it working with ssl you need to go to Proxy->Proxy Settings->SSL and add the domain which traffic you want to monitor.

---- From the comment ----

If you have the original certificate, you can set it up in Proxy->SSL Certificate, and it will be ued by Charles, which should lead to no more errors (as the proxy will have the proper certificate).

2
votes

Interestingly, Fiddler started to show HTTPS requests today. The Flex app behaves like it couldn't access the server side (which is probably because the response from Fiddler is signed with a self-signed certificate which Flash Player correctly recognizes as different than the target site certificate) but still, the HTTP request has been sent already and is visible via Fiddler.

Also, Robert Bak suggested that Charles Proxy can use the target site's certificate which I guess would be by far the best method (I didn't try it as the Fiddler experiment already proved enough for us).

1
votes

Adobe's Flash Builder 4 Beta has a built in Network Monitor.

Learn more here: Flash Builder 4 beta

According to the documentation: (Support for HTTPS protocol)

The Network Monitor supports monitoring HTTPS calls to a server certified by a certificate 
authority (CA) or that has a self-signed certificate.

To monitor calls over the HTTPS protocol, modify the default preference for the Network Monitor
to ignore SSL security checks. Open the Preferences dialog and navigate to Flash Builder > 
Network Monitor.