Skip to content
GProxy
Sign up
Guides 7 Connection Type: 1 views

Fiddler

Explore Fiddler for comprehensive HTTP/HTTPS traffic analysis on Windows. Understand network behavior and debug applications effectively.

Browser

Fiddler is a free web debugging proxy that allows developers and security professionals to capture, inspect, modify, and replay HTTP/HTTPS traffic between a client (like a web browser or application) and a server on a Windows system. It operates by positioning itself as an intermediary, intercepting all network requests and responses that pass through it, providing granular control and visibility into web communications.

Setting Up Fiddler as Your Proxy

Installation

Fiddler Classic can be downloaded from its official Telerik page. Installation involves a standard Windows setup wizard. Upon first launch, Fiddler typically configures itself as the system proxy.

Fiddler's Default Proxy Configuration

By default, Fiddler listens on 127.0.0.1:8888. When Fiddler starts, it automatically modifies the Windows system proxy settings to direct traffic through this address. When Fiddler closes, it usually restores the original system proxy settings. This automatic configuration simplifies its use for general web debugging.

Capturing HTTPS Traffic

To inspect HTTPS traffic, Fiddler must decrypt it. This requires installing Fiddler's root certificate into the system's trusted certificate store.

  1. Navigate to Tools > Options > HTTPS.
  2. Enable Capture HTTPS CONNECTs.
  3. Enable Decrypt HTTPS traffic.
  4. Click Actions then Trust Root Certificate. Confirm any security prompts.

Once the certificate is trusted, Fiddler can perform a man-in-the-middle attack on HTTPS connections, generating temporary certificates for each intercepted domain, signed by its trusted root. Clients configured to trust the Fiddler root certificate will then send traffic through Fiddler without security warnings.

Integrating Fiddler with an External Upstream Proxy

Organizations often utilize corporate proxies for network security, content filtering, or access control. Fiddler can be configured to forward its captured traffic through such an upstream proxy. This enables debugging applications behind a corporate proxy without bypassing the security infrastructure.

Configuring Fiddler to Use an Upstream Proxy

To chain Fiddler with an existing proxy:

  1. Navigate to Tools > Options > Gateway.
  2. Choose one of the following options:
    • Use System Proxy: Fiddler will attempt to use the proxy settings configured at the operating system level (e.g., in Internet Explorer's LAN settings). This is the default behavior.
    • Manual Proxy Configuration: Specify a custom upstream proxy.
      • Select Manual Proxy Configuration.
      • Enter the proxy address and port in the format hostname:port or IP_address:port.
      • Example: corporateproxy.example.com:8080.
      • If the upstream proxy requires authentication, check Authenticate with upstream proxy and provide credentials.
  3. Click OK to apply changes.

Fiddler's Proxy Chaining Behavior

When Fiddler uses an upstream proxy, the traffic flow becomes:

Client (e.g., Browser) -> Fiddler (127.0.0.1:8888) -> Upstream Proxy -> Internet

Fiddler performs its capture and decryption functions, then forwards the (potentially re-encrypted) request to the configured upstream proxy. The upstream proxy then handles the routing to the final destination. This chaining adds an additional hop, which may introduce minor latency.

Analyzing Traffic with Fiddler

The Session List

The primary interface displays a list of captured sessions. Each row represents an HTTP/HTTPS request and its corresponding response. Key columns include:
* Result: HTTP status code.
* Protocol: HTTP or HTTPS.
* Host: Target server hostname.
* URL: Full request URL.
* Body: Size of the response body.
* Caching: Caching directives.

Inspectors

The Inspectors tab provides detailed views of selected requests and responses.

  • Request Inspectors:
    • Headers: Displays all HTTP request headers.
    • WebForms: Shows URL-encoded form data.
    • Raw: Presents the complete raw HTTP request.
    • JSON/XML: Formatted view for JSON/XML request bodies.
  • Response Inspectors:
    • Headers: Displays all HTTP response headers.
    • TextView: Plain text view of the response body.
    • ImageView: Renders image responses.
    • Raw: Presents the complete raw HTTP response.
    • JSON/XML: Formatted view for JSON/XML response bodies.

AutoResponder

The AutoResponder tab allows intercepting requests and responding with local files or custom data without contacting the server. This is useful for:
* Mocking APIs: Simulating server responses for development and testing.
* Testing error conditions: Returning specific HTTP status codes.
* Modifying content: Injecting local JavaScript or CSS files.

Rules can be defined using exact matches, wildcards, or regular expressions.

Composer

The Composer tab allows users to manually craft and execute HTTP requests. This is useful for:
* Replaying requests: Re-sending a previously captured request, potentially with modifications.
* Testing API endpoints: Sending custom requests to check API behavior.
* Fuzzing: Repeatedly sending requests with varied parameters.

Users can modify URL, headers, and request body before executing the request.

Filters

The Filters tab enables filtering the session list to focus on relevant traffic.
* Hosts: Show or hide traffic to specific hostnames.
* Processes: Filter traffic by the originating Windows process (e.g., only show traffic from chrome.exe).
* URL Content: Hide sessions where the URL contains specific strings.
* Status Codes: Display only sessions with certain HTTP status codes.

Example filter to show only traffic from a specific host:

// In the 'Hosts' section, check 'Show only traffic from the following Hosts'
// Add 'example.com' to the list.

Common Use Cases for Proxy Analysis

Debugging Web Applications

Fiddler helps diagnose issues such as:
* Incorrectly sent request parameters.
* Unexpected server responses or error codes.
* Missing or malformed HTTP headers.
* Cross-origin resource sharing (CORS) issues.

Security Testing

  • Authentication Flow Analysis: Intercepting login requests to check for secure credential transmission.
  • Vulnerability Identification: Detecting unencrypted sensitive data, insecure HTTP headers, or misconfigurations.
  • Session Management: Analyzing cookie attributes and session token usage.

Performance Optimization

  • Resource Loading: Identifying large assets, slow loading times, or inefficient caching strategies (e.g., missing Cache-Control headers).
  • Request Overhead: Examining the number and size of requests to optimize network utilization.

API Development and Testing

  • API Inspection: Understanding how an application interacts with its backend APIs.
  • API Mocking: Using AutoResponder to simulate various API responses for client-side development.
  • Endpoint Validation: Using Composer to test API endpoints with different payloads and parameters.

Fiddler vs. Other Proxy Tools

Feature Fiddler Classic (Windows) Burp Suite Community (Cross-platform) Charles Proxy (Cross-platform)
Primary Focus General web debugging, development, performance. Web security testing, penetration testing. General web debugging, development, performance.
Cost Free Free (Community Edition), Paid (Professional Edition) Paid (Trial available)
OS Support Windows Windows, macOS, Linux Windows, macOS, Linux
HTTPS Decrypt Yes, with root certificate installation. Yes, with root certificate installation. Yes, with root certificate installation.
Key Features AutoResponder, Composer, Filters, extensive Inspectors. Proxy, Intruder, Repeater, Sequencer, Decoder, Scanner (Pro). Proxy, Rewrite, Map Local/Remote, Throttling, DNS spoofing.
Scripting FiddlerScript (JScript.NET) for custom rules and extensions. Extensions (Java, Python, Ruby). Custom plugins (Java).
Usability User-friendly for developers and testers. Steeper learning curve, geared towards security professionals. Intuitive UI, good for general debugging.

Troubleshooting Fiddler Proxy Issues

Traffic Not Appearing

  • Fiddler Capture Status: Ensure File > Capture Traffic is checked (or press F12). The status bar should show "Capturing".
  • System Proxy Settings: Verify that Fiddler has successfully configured the system proxy. Go to Tools > Options > Connections and ensure Act as system proxy on startup is checked.
  • Client Configuration: If debugging a non-browser application, ensure it is configured to use Fiddler's proxy (127.0.0.1:8888).
  • Firewall: Check if a firewall is blocking Fiddler's port or network access.

HTTPS Decryption Errors

  • Certificate Trust: Confirm the Fiddler Root Certificate is correctly installed and trusted in the system and browser. Re-run Actions > Trust Root Certificate under Tools > Options > HTTPS.
  • Application-Specific Trust Stores: Some applications (e.g., mobile apps, Java applications) use their own certificate trust stores, bypassing the system's store. These may require manual installation of the Fiddler certificate into their specific trust store or disabling certificate pinning.
  • Expired Certificates: Ensure the Fiddler root certificate is not expired.

Upstream Proxy Connectivity

  • Correct Address/Port: Double-check the upstream proxy address and port in Tools > Options > Gateway.
  • Authentication: If the upstream proxy requires authentication, verify the credentials provided in Fiddler.
  • Network Reachability: Confirm that the machine running Fiddler can reach the upstream proxy server. Use ping or telnet to test connectivity to the upstream proxy's IP and port.
  • Upstream Proxy Logs: Consult the logs of the upstream proxy for connection refusal or authentication errors.
Auto-update: 04.03.2026
All Categories

Advantages of our proxies

25,000+ proxies from 120+ countries

Unlimited Proxies Residential Proxies