dcsimg

Fiddler: Pen Testing Product Overview and Analysis

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Email  

See our complete list of top penetration testing tools.

Bottom Line

Fiddler is a useful collection of manual tools for dealing with web debugging, web session manipulation, and security and performance testing. However, it is probably most useful for those deploying the paid version on the .NET framework, as that comes with many automation features.

Type of tool: Web debugging proxy

Key features: Fiddler is a package of testing tools to discover and resolve security issues. It includes: Watcher to observe browser interactions with a website, scan requests and responses, and flag potential vulnerabilities; x5s to evaluate website vulnerabilities due to cross-site scripting bugs caused by character-set related issues; intruder21 for fuzz testing of web applications, generating fuzzed payloads and launching them against a website; and Ammonite, which detects common website vulnerabilities such as SQL injection, OS command injection, cross-site scripting, file inclusion, and buffer overflows.

Fiddler can automate SSL decryption, too. With the decryption feature enabled, users can choose to decrypt all processes, only browser traffic, only non-browser traffic, or remote clients. The decryption process filter is useful as there is no need to decrypt traffic users don't care about.

While Fiddler is free, a paid version known as Telerik FiddlerCore Embedded Engine is the core proxy engine used by Fiddler to intercept and modify web traffic. You can integrate FiddlerCore into .NET applications and gain the benefit of automation across the full suite of Fiddler applications.

Differentiator: Automation of SSL decryption

What it can't do: It is not designed to be a pen test tool, but helps to scan for vulnerabilities

Cost: Free, with a paid version offering automation.