Fiddler: Pen Testing Product Overview and Analysis

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

See our complete list of top penetration testing tools.

Bottom Line

Fiddler is a useful collection of manual tools for dealing with web debugging, web session manipulation, and security and performance testing. However, it is probably most useful for those deploying the paid version on the .NET framework, as that comes with many automation features.

Type of tool: Web debugging proxy

Key features: Fiddler is a package of testing tools to discover and resolve security issues. It includes: Watcher to observe browser interactions with a website, scan requests and responses, and flag potential vulnerabilities; x5s to evaluate website vulnerabilities due to cross-site scripting bugs caused by character-set related issues; intruder21 for fuzz testing of web applications, generating fuzzed payloads and launching them against a website; and Ammonite, which detects common website vulnerabilities such as SQL injection, OS command injection, cross-site scripting, file inclusion, and buffer overflows.

Fiddler can automate SSL decryption, too. With the decryption feature enabled, users can choose to decrypt all processes, only browser traffic, only non-browser traffic, or remote clients. The decryption process filter is useful as there is no need to decrypt traffic users don’t care about.

While Fiddler is free, a paid version known as Telerik FiddlerCore Embedded Engine is the core proxy engine used by Fiddler to intercept and modify web traffic. You can integrate FiddlerCore into .NET applications and gain the benefit of automation across the full suite of Fiddler applications.

Differentiator: Automation of SSL decryption

What it can’t do: It is not designed to be a pen test tool, but helps to scan for vulnerabilities

Cost: Free, with a paid version offering automation.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Drew Robb Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis