Let’s talk for a moment about love, relationships and commitment…
Most application security engineers I’ve met have already settled down and found their special one. They stick with that one, stay committed and never have a second thought about another. I’m talking about Burp and Fiddler.
To be honest, I was one of those guys. I had found Fiddler and we were exclusive for 5 years. It was a beautiful relationship. A perfect match it seemed. Every time my co-workers tried to introduce me to Burp it went in one ear and out of the other. I only had eyes for Fiddler. I was sure that Fiddler was the best choice for me. We were soulmates you might say. Burp, as I saw it was just cumbersome software for people who like to spend money.
More than a year ago I moved to California to start a new adventure in Silicon Valley and immediately realized two interesting things:
Motivated by these revelations I gave in, moved to Mac and decided it was time to give Burp a chance. I’m hoping to use my experiences to help others and now, I’ll try to convince you why you should use both Burp & Fiddler.
I’ve loved Fiddler for years. My connection was quick and clear. I know some of you might think that Fiddler is a tool just for web developers and no good for security engineers. I disagree. Let me share my philosophy about pentesting and why Fiddler is a perfect fit.
After a pentest, there are two types of reports you can present:
In order to fulfill the dynamic and flexible nature of the second type, you need the right “partner” – Fiddler. In my mind, every good pentest starts with the “evaluation” phase.
The app is used as a regular user checking the main functions to get to know the business logic. After getting a baseline of what the app does, you can drill in and focus on a specific area in the app. During the “drill in” process you should be continuously sniffing the app traffic with a web proxy.
Personally, this is my favorite part of the test – I try to feel more comfortable with the app by looking at the HTTP calls and asking myself questions, like:
Hundreds of different ideas and assumptions start to fill my head during the evaluation phase. Some of them might be silly like an attempt to exploit an SSRF with gopher://. While some lead to really impressive exploitations. All these ideas and assumptions need to be validated or disproved as quickly and smoothly as possible to be efficient. You don’t want to waste time moving between tabs or views – things that can distract your mind and slow down your process. You don’t want your tool getting in the way here.
Fiddler is the best tool for the evaluation phase. It has a great UI and a set of shortcuts that makes the process super easy and efficient. Here’s why:
Without this level of convenience the evaluation phase is much slower and exhausting with tools like Burp.
At first glance Burp is a more cumbersome tool especially when compared to Fiddler. As I’ve dug in I’ve found that it has a great framework and many features that can make life easier during a pentest. You can say that I’ve learned to love Burp too.
Comparing the two, the main advantages of Burp over Fiddler are:
On top of these advantages Burp can handle a large number of steps, large responses and it even has an automatic backup mechanism.
One last thing to mention not necessarily related to the comparison, but Burp is also a great automatic scanner with a “live audit” approach, differentiating it from many other scanners. This helps solve problems like expired tokens and insufficient crawlers’ discovery.
After a few weeks using Burp I was left wondering which tool to use. Fiddler, my first love, or Burp the one that I had previously overlooked. I found the perfect solution to use both – use Burp as a proxy to Fiddler! Here’s how I do it:
(Firefox is the best by the way)
Open Fiddler and go to “Tools” → “Options” → “Gateway”
I’ve been using this set up for more than a year, it works really great and I’m not compromising on the convenience of Fiddler or the rich features of Burp.
This combination let’s me use Fiddler as a whiteboard to quickly validate or disprove my ideas, and Burp to manage my findings and automate specific actions.
Here’s my screenshot from a pentest of “OWASP Juice Shop”. During the evaluation process I was testing the “add to basket” and this is how I used my setup:
In the same view you can see a few other vulnerabilities I found and documented. I also have the option to send this call to the “Intruder” tool, automate the exploitation and get all the details of the baskets.
Even though it might take some time to get used to this setup, I find the combination very efficient and it makes many of the things that I do smoother and faster.
I hope this post has opened your mind a bit and made you consider the benefits of both of these tools. I’d love to hear your thoughts on Burp or Fiddler in the comments below and if after reading this let me know if you’re considering using them together like I do.
Salt Security streamlines API security with automated protection for TripActions
Salt Security named by CRN as a top emerging vendor in security for our leadership role in API security