Capture HTTP/HTTPS traffic from Java programs with Fiddler

Fiddler is a handy tool which sits between two applications act as a proxy. It includes the ability to view, decrypt HTTP or HTTPS  traffic for debugging proposes. For instance, we need capture the all  HTTP or HTTPS request/responses from client Java  program to the server, and the HTTPS-secured traffic should be decrypted to plain text and displayed in  Fiddler.

1. Configure  Fiddler  as proxy and listens on port

Click on Tools -> Fiddler Options, to open the Fiddler Options dialog. Switch to the Connections tab, make sure the default Fiddler listens on port 8888 and select “act as system proxy on startup”.

2. Export Fiddler is Root Certificate and Import to JRE Keystore

Switch to the HTTPS tab.  Ensure the Decrypt HTTPS traffic checkbox is checked. Click the Export Fiddler Root Certificate to Desktop button, this will generate the file: FiddlerRoot.cer on your Desktop.

The Fiddler’s certificate is  self-signed and  not trusted by the JDK or web browser (since Fiddler is not a Trusted Root Certification authority), and hence we need import this Fiddler certificate into your local JVM trust keystore by the following command.

keytool -import -alias fiddlercert -file fiddlerRoot.cer -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

Tips: Fiddler2 relies on a “man-in-the-middle” approach to HTTPS interception. To the client program or web browser, Fiddler2 claims to be the secure web server, and to the web server, Fiddler2 mimics the web browser. In order to pretend to be the web server and dynamically generates a HTTPS certificate.

3. Start the Java program with Fiddler as the proxy

Configure the client Java program launch with Fiddler as the proxy, Here ire the VM args to configure the fiddler proxy:

jre -DproxySet=true -DproxyHost= -DproxyPort=8888 MyApp

Alternatively, we can modify the code to set system HTTP and HTTPS  proxyHost and port.

System.setProperty(“http.proxyHost”, “″);
System.setProperty(“https.proxyHost”, “″);
System.setProperty(“http.proxyPort”, “8888″);
System.setProperty(“https.proxyPort”, “8888″);

4. Monitor HTTPS request and response in  Inspectors tab

Once you launch your client program, you should clearly view the HTTPS session (request and response) in Inspectors tab.

Оцените статью
Добавить комментарий

Your email address will not be published. Required fields are marked *