An extension/rules for the Fiddler Classic web debugger to analyze malicious web traffic.
-
Download and install Fiddler from here: https://www.telerik.com/fiddler
-
Download and run EKFiddleExtension.exe
Alternatively, download EKFiddle.dll and put it into Fiddler's Scripts folder (%AppData%\Local\Programs\Fiddler\Scripts)
Note: The EKFiddle.dll version replaces the previous CustomRules.cs.
The top level menu gives you the ability to access certain features and settings for the EKFiddle extension.
The Regexes menu item lets you view, edit, run and update the regexes that are used to identify web sessions and color them / add comments accordingly.
Added support for AND/OR operators:
[regex] *AND* [regex] *AND* [regex]
[regex] *OR* [regex] *OR* [regex]
The Advanced Filters menu item is for filtering web traffic based on a compiled list of domains, URLs, IP addresses, or hashes that you want to exclude.
You can also filter traffic by tags:
Fiddler's default UI only shows a limited number of columns. By choosing the Advanced UI, you can view more information about web sessions, including CMS type, SHA-256, etc.
- Real-time monitoring
- CMS detection
- Inspect Images (slow)
These real-time options can be enabled to automatically flag traffic as web sessions are being captured. CMS detection attempts to identify what kind of Content Management System a website is running and displays it within a new column (Advanced UI required). Inspect Images will look at the content of supposed images to see if they are the wrong mime-type or hide content (steganography).
Customize Fiddler's application and SAZ icons with the EKFiddle theme or retro versions of Fiddler.
Automate browsing tasks by loading a list of URLs from a text file and let Fiddler record all the traffic.
Connect to another proxy (anonymous or private) via Fiddler
Check for the latest version of EKFiddle.
Displays the About page for the EKFiddle project.
The contextual menu (right click) allows you to perform additional actions on the selected web session(s).
- Copy
- Google Search
- Internet Archive Lookup
- Sucuri SiteCheck Scan
- Urlscan.io Lookup
- VirusTotal Lookup
- Copy
- Google Search
- Urlscan.io Lookup
- VirusTotal Lookup
- Copy SHA-256
- Copy SHA-1
- Copy MD5
- Save to Disk
- Urlscan.io Lookup
- VirusTotal Lookup
- Google Analytics ID
- Phone Number
- Hide Hostname
- Hide IP Address
- Hide URL
- Hide Response Body Hash
This feature enables you to see the flow between a web session and previous ones. This is helpful to retrace traffic.
Copies to the clipboard a text-base summary of web sessions that can be easily used to share with others.
Add or edit tags (separate column in Advanced UI mode) for each web session.
- Delete EKFiddle.dll from Fiddler's Script folder, delete EKFiddle's folder (
Documents\Fiddler2\EKFiddle)