Popular open source Alternatives to Fiddler for Windows, Mac, Linux, Web, Chrome and more. Explore 11 apps like Fiddler, all suggested and ranked by the AlternativeTo user community. This list of notable fiddlers shows some overlap with the list of violinists since the instrument used by fiddlers is the violin. Fiddler is a web debugging tool for logging HTTP/S traffic. Inspect traffic, mock requests/responses, share sessions, collaborate within teams to debug issues. Picture 5: XSS Results in X5S fiddler. After selecting the result, it will show a description in the lower part. It will show how a preamble has been found on the page along with XSS characters. Look at the detail and try to analyze them. See the red colored texts in the description? It shows the preamble’s occurrence on the page. Picture 5: XSS Results in X5S fiddler. After selecting the result, it will show a description in the lower part. It will show how a preamble has been found on the page along with XSS characters. Look at the detail and try to analyze them. See the red colored texts in the description?
A brief synopsis of my Xbox research.
Fiddler Xss
Xbox Live Messaging - RCE Via Embedded Content
The Xbox messaging system supports the embedding of protocols for one-click redemption of service messages containing 5x5 game codes, viewing shared images, club invites, etc. By crafting my own service message whilst chaining another vulnerability that allowed for remote custom WinJS execution (i.e. ToastMyConsole), I was able to construct a message allowing remote code execution on any console, given the stipulation of the user interacting and clicking on the button.
Xbox Edge Browser - File System Exposure
Edge’s address bar allowed access of local files on the device via the File: protocol. This functionality is used for viewing local PDFs, etc. However, as the Xbox file system isn’t normally accessible, this allowed for the dumping of Xbox binaries. Any valid path would trigger a download prompt, copying the file to the user's download folder accessible via the File Browser application.
Side Note: The File Explorer application was disabled due to 'Limited Usage'
Partner Center - Sandbox Shambles
Due to an oversight with the client-side authorization system, I was able to create and take over sandboxes belonging to publishers, essentially merging them into my account, allowing access to all of their products within said sandbox.
Microsoft Store - App Package Pulling (FE3)
By reverse engineering the Microsoft Store client, I was able to develop tools to pull packages for almost any app/game, be it internal or paid.
See my GitHub repo for a more in-depth look into the API and its capabilities.
Kiosk Mode - Abusing MSXB_KIOSK.xvd
Activation of kiosk mode is triggered on startup via the presence of 'MSXB_Kiosk.xvd' on an external USB. The console will then check the XVD’s content-type to make sure it matches that of 'Kiosk” before mounting. It is possible however to change the content-type of any Green-encrypted XVD to that of “Kiosk”. Renaming the modded XVD to MSXB_Kiosk and placing it on a usb will cause the console to mount the XVD on next boot, exposing the contents.
Windows Update – Ability to Pull Canary Builds
The Windows Update (FE3) service failed to perform authorization checks against the Device ID requesting a Canary build, allowing me to download IoT Canary builds for all 4 supported arches.
Xbox Flighting – MITM via Fiddler
By making use of Fiddler Web Debugger in Dev Mode, it's possible to edit incoming flighting, including enabling internal flighting, enabling various different LiveSettings,etc.
Registry path: HKLMXboxSoftwareMicrosoftDurangoLiveSettings
Network Transfer Manager – Cross Mode Installation
Fiddler Xss Testing
By reverse engineering the network transfer manager process, I was able to develop a tool to emulate a console with NT (Network Transfer) enabled. Utilizing this, I'm able to install developer packages to Retail Mode, and retail games/apps to Developer Mode.
Service location: C:WindowsSystem32NetworkTransferManagerService.exe
Live Domain – PII Disclosure
The storage.live.com profile endpoint failed to perform authentication checks on the requesting user, allowing one to request personal details for any MSA, including name, address and OneDrive contents.
Developer Domain – App Name field vulnerable to XSS
UDC was vulnerable to XSS via crafting a specific string and setting it as the application's name, resulting in a successful cross-site scripting attack.
Vega helps you find and fix cross-site scripting (XSS), SQL injection, and more.
Vega is a free and open source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
Vega can help you find vulnerabilities such as: reflected cross-site scripting, stored cross-site scripting, blind SQL injection, remote file include, shell injection, and others. Vega also probes for TLS / SSL security settings and identifies opportunities for improving the security of your TLS servers.
Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript.
Vega was developed by Subgraph in Montreal.
Automated Scanner
Vega includes a website crawler powering its automated scanner. Microsoft assembler for windows 10. Vega can automatically log into websites when supplied with user credentials.
Intercepting Proxy
Vega can be used to observe and interact with communication between clients and servers, and will perform SSL interception for HTTP websites.
Proxy Scanner
The Vega proxy can also be configured to run attack modules while the user is browsing the target site through it. This allows for semi-automated, user-driven security testing to ensure maximum code coverage.
GUI-Based
Vega has a well-designed graphical user-interface.
Multi-Platform
Vega is written in Java and runs on Linux, OS X, and Windows.
Extensible
Fiddler Xss Plugin
Vega detection modules are written in Javascript. It is easy to create new attack modules using the rich API exposed by Vega.