Fiddler , Spoofing Referer not working as it should

0
votes

I am trying to call web service api with javascript like below.


var url = "https://...";

let formData = new FormData();
formData.append("...", "...");
formData.append("...", "...");
formData.append("...", "...");

let promise = fetch(url, {
  method: "POST",
  body: formData
});

promise.then(result => {
    console.log(result);
});

The response has the status 200 OK, but the response text says you don't have the right to do the action.

While investigating with postman why the request was failing. I found out that adding the Referrer Header with value being server domain name of api, ended returning the right response. It seems that server of the api has some referrer security enabled which does not allowed api to accessed by request that don't originated from that server.

To proceed with development and testing, I have installed fiddler with the purpose to intercept request and change referrer header before it send the request to the server of the api.

Fiddler version: v4.6.20171.26113.

Operating system: linux debian

Firefox: Version 60.9.0esr (64-bit)

The api which I am trying to access is with https, so i need to decrypt the trafic. So I went to Fiddler -> Options -> HTTPS -> action and exported the root certificate in desktop. After that I added the certificate in Firefox browser (Manage Certificated -> Authorities-> Imported the certificate extracted from fiddler). Than I went to Fiddler -> Options -> HTTPS -> enable Decrypt Https traffic. I also have configured the Manual Proxy configuration of firefox to go fiddler (proxy : localhost, port : 8888).

After doing the configuration above , my Internet access was gone. I searched and saw that this was a problem with new version of TLS 1.3 . I switched the firefox TLS version to version TLS 1.2 (security.tls.version.max=3). After doing these the internet access was restored.

I have put a breakpoint in url of api (bpu url). I am able to intercept successfully and change the Referrer header successfully but when I pres run to completion and check the response in firefox network, it seems that the Referer it was not changed. Even though I had intercepted with fiddler and changed the header. Why aren't the changes I made with Fiddler being saved after I click run to completion?

Regards,

Rando.

1
javascripthttpsslhttpsfiddler

1 Answers

0
votes

What it solved the problem for me it was:

  • Restart of the computer after installing fiddler
  • Delete the certificate exported from the fiddler
  • Go to Menu HTTPS -> ACTIONS -> Export Root Certificate to Desktop
  • Add the certificate to firefox (Manage Certificated -> Authorities-> Imported the certificate extracted to Desktop from fiddler).
  • Check if proxy settings in firefox, it should be manual and set (proxy : localhost, port : 8888) , 8888 is port of fiddler
  • Go in firefox about:config, downgrade the tls version. The configuration for downgrading the tls : security.tls.version.max=3
  • Go to Fiddler Menu HTTPS and check the Decrypt HTTPS traffic

After following the steps above, I was able to successfully intercept and modify HTTP request header and responses.