前面把各种抓包姿势整理了一遍，对于http的抓包说得比较少，下面重点讲下http协议的抓包和分析，对于常用的工具有burpsuite、charles、fiddler，其中fiddler在windows下的体验是最好，burpsuite若是用熟练的话对于漏洞分析是比较有利的，fiddler的配置比较简单，网上一堆教程，这里不再细说，主要说下咋样些fiddler的脚本实现一些自定义的自动化。

首先看几个关键函数：

OnBeforeRequest 在发送请求之前

OnBeforeResponse 在返回响应之前

请求更改

• 新增请求头部参数及参数值

oSession.oRequest["NewHeaderName"] = "New header value";

• 移除一个响应头信息

 oSession.oResponse.headers.Remove("Set-Cookie");

• 更改一个请求页面到同个服务器上的另一个页面上

if (oSession.PathAndQuery=="/version1.css") {
     oSession.PathAndQuery="/version2.css";
   }

• 定向某个特定请求到一个不同的服务器资源上

if (oSession.url=="www.example.com/live.js") {
     oSession.url = "dev.example.com/workinprogress.js";
   }

• 将所有服务器的相关资源定向到一个不同的服务器上

if (oSession.HostnameIs("www.bayden.com")) {
      oSession.hostname="test.bayden.com";
    }

• 将特定端口的数据定向到一个不同的服务器上

if (oSession.host=="www.bayden.com:8080") {
      oSession.host="test.bayden.com:9090";
    }

• 将所有请求定向到一个不同的服务器上，包括https通道

    // Redirect traffic, including HTTPS tunnels
    if (oSession.HTTPMethodIs("CONNECT") && (oSession.PathAndQuery == "www.example.com:443")) {
        oSession.PathAndQuery = "beta.example.com:443";
    }

    if (oSession.HostnameIs("www.example.com")) oSession.hostname = "beta.example.com";

• 模拟host，将一个hostname制定到特定的ip下

// All requests for subdomain.example.com should be directed to the development server at 128.123.133.123
    if (oSession.HostnameIs("subdomain.example.com")){
    oSession.bypassGateway = true;                   // Prevent this request from going through an upstream proxy
    oSession["x-overrideHost"] = "128.123.133.123";  // DNS name or IP address of target server
    }

• 阻止cookies的上传

oSession.oRequest.headers.Remove("Cookie");

• 自动解码响应并更新头部信息

// Remove any compression or chunking from the response in order to make it easier to manipulate
    oSession.utilDecodeResponse();

• 搜索并替代html元素

if (oSession.HostnameIs("www.bayden.com") && oSession.oResponse.headers.ExistsAndContains("Content-Type","text/html")){
     oSession.utilDecodeResponse();
     oSession.utilReplaceInResponse('<b>','<u>');
   }

• 查找

  if (oSession.oResponse.headers.ExistsAndContains("Content-Type", "text/html") && oSession.utilFindInResponse("searchfor", false)>-1){
      oSession["ui-color"] = "red";
    }

• 移除所有div元素

// If content-type is HTML, then remove all DIV tags
   if (oSession.oResponse.headers.ExistsAndContains("Content-Type", "html")){
     // Remove any compression or chunking
     oSession.utilDecodeResponse();
     var oBody = System.Text.Encoding.UTF8.GetString(oSession.responseBodyBytes);

     // Replace all instances of the DIV tag with an empty string
     var oRegEx = /<div[^>]*>(.*?)<\/div>/gi;
     oBody = oBody.replace(oRegEx, "");

     // Set the response body to the div-less string
     oSession.utilSetResponseBody(oBody);
   }

• 更改UA

 oSession.oRequest["User-Agent"]="Googlebot/2.X (+http://www.googlebot.com/bot.html)";

• 请求希伯来内容

 oSession.oRequest["Accept-Language"]="he";

• 拒绝CSS的请求

if (oSession.uriContains(".css")){
     oSession["ui-color"]="orange";
     oSession["ui-bold"]="true";
     oSession.oRequest.FailSession(404, "Blocked", "Fiddler blocked CSS file");
    }

• 模拟基础认证

if ((oSession.HostnameIs("www.example.com")) &&
     !oSession.oRequest.headers.Exists("Authorization"))
    {
    // Prevent IE's "Friendly Errors Messages" from hiding the error message by making response body longer than 512 chars.
    var oBody = "<html><body>[Fiddler] Authentication Required.<BR>".PadRight(512, ' ') + "</body></html>";
    oSession.utilSetResponseBody(oBody);
    // Build up the headers
    oSession.oResponse.headers.HTTPResponseCode = 401;
    oSession.oResponse.headers.HTTPResponseStatus = "401 Auth Required";
    oSession.oResponse["WWW-Authenticate"] = "Basic realm=\"Fiddler (just hit Ok)\"";
    oResponse.headers.Add("Content-Type", "text/html");
    }

• 从 \Captures\Responses 文件夹中加载文件响应请求

if (oSession.PathAndQuery=="/version1.css") {
      oSession["x-replywithfile"] ="version2.css";
    }

• 模拟modem上传（在OnBeforeRequest函数中）

// Delay sends by 300ms per KB uploaded.
   oSession["request-trickle-delay"] = "300";

• 模拟modem下载

Delay receives by 150ms per KB downloaded.
   oSession["response-trickle-delay"] = "150";

• 标记没有设置cache的

if (!(oSession.oResponse.headers.Exists("Expires")
    || (oSession.oResponse.headers.ExistsAndContains("Cache-Control", "age")))
    || (oSession.oResponse.headers.Exists("Vary"))){
    {
    oSession["ui-color"]="brown"; // Use C# color strings here.
    oSession["ui-italic"]="true";
    }

自定义menu

• firefox打开选中

public static ContextAction("Open in Firefox")  function DoOpenInIE(oSessions: Fiddler.Session[]){    if (null == oSessions){      MessageBox.Show("Please choose at least 1 session."); return;    }    for (var x = 0; x < oSessions.Length; x++){      System.Diagnostics.Process.Start("firefox.exe", oSessions[x].url);    }  }

• 创建一个Rules的子菜单

public static RulesOption("Non-Exclusive-Test", "User-Agent")   var m_UANONRad: boolean = true;

• 创建一个子菜单，radio模式

public static RulesOption("Spoof Netscape &3.0", "User-Agent", true)   var m_NS3: boolean = false;   public static RulesOption("Spoof IE &6.0", "User-Agent", true)   var m_IE6: boolean = false;   public static RulesOption("Spoof nothing", "User-Agent", true)   var m_UANONE: boolean = true;

• 自定义string

RulesString("&SubMenuName", true)    RulesStringValue(0,"Option1Name", "Option1Value")    RulesStringValue(1,"Option2Name", "Option2Value")    RulesStringValue(2,"&Custom...", "%CUSTOM%")    public static var sTheOptionValue: String = null;

• 有默认选择

RulesString("&SubMenuName", true)    RulesStringValue(0,"Option1Name", "Option1Value")    RulesStringValue(1,"Option2NameDEFAULT", "DefaultVal", true)    RulesStringValue(2,"&Custom...", "%CUSTOM%")    public static var sTheOptionValue: String = null;

• 重置script

// Force a manual reload of the script file. Resets all    // RulesOption variables to their defaults.    public static ToolsAction("Reset Script")    function DoManualReload(){        FiddlerObject.ReloadScript();    }

• 删除所有的cookie及cache

ublic static ToolsAction("Reset IE"){      FiddlerObject.UI.actClearWinINETCache();      FiddlerObject.UI.actClearWinINETCookies();    }

自定义web session (OnBeforeRequest)

• 自定义时间格式

oSession["ui-customcolumn"] += DateTime.Now.ToString("h:mm:ss.ffff ");

• 在list中展示setcookie字段(OnBeforeResponse)

oSession["ui-customcolumn"] = oSession.oResponse["Set-Cookie"];

• 展示cookies

   {   oSession["ui-color"]="red";   oSession["ui-customcolumn"] = oSession.oRequest["Cookie"];   }   else   oSession["ui-color"]="green";

• 隐藏.gif

if (oSession.url.EndsWith(".gif")){        oSession["ui-hide"]="hiding image requests";  //String value not important    }

• 隐藏返回为图像的（OnBeforeResponse）

if (oSession.oResponse.headers.ExistsAndContains("Content-Type", "image/")) {        oSession["ui-hide"] = "hiding images"; // String value not important    }

• 隐藏不关心的domain

if (!oSession.HostnameIs("domainIcareabout.com")){       oSession["ui-hide"] = "hiding boring domains"; // String value not important   }

• 展示404页面

if (oSession.responseCode == 404){      oSession.oFlags.Remove("ui-hide");  }

• 标记发送cookie的server(OnBeforeResponse)

if (oSession.oResponse.headers.Exists("Set-Cookie") ||      oSession.utilDecodeResponse();      oSession.utilFindInResponse("document.cookie", false)>-1 ||      oSession.utilFindInResponse('HTTP-EQUIV="Set-Cookie"', false)>-1){      oSession["ui-color"]="purple";    }

• 展示跳转(OnBeforeResponse)

if ((oSession.responseCode > 299) && (oSession.responseCode < 308)){        oSession["ui-customcolumn"] = oSession.oResponse["Location"];    }

• 查找特定响应

oSession.utilDecodeResponse();    // Create a array of strings we're looking for.    var oFindStrings = new Array( "XMLHttp", "onreadystatechange", "readyState", "responseBody", "responseText", "responseXML", "statusText", "abort", "getAllResponseHeaders", "getResponseHeader", "setRequestHeader");    // For each target string, check the response to see if it's present.    var iEach=0;    oSession["ui-customcolumn"]=String.Empty;    for (iEach; iEach<oFindStrings.length; iEach++){        if (oSession.utilFindInResponse(oFindStrings[iEach], false)>0) {          oSession["ui-color"]="purple";          oSession["ui-customcolumn"] += oFindStrings[iEach]+"; ";        }    }

暂停

• 暂停post请求

if (oSession.HTTPMethodIs("POST")){      oSession["x-breakrequest"]="breaking for POST";    }

• 暂停有特殊字符的

if (oSession.HTTPMethodIs("POST") && (oSession.utilFindInRequest("thekeyword", true) > -1)){   oSession["x-breakrequest"] = "keyword";   }

• 暂停特定文件的

if (oSession.url.toLowerCase().indexOf(".xml")>-1){     oSession["x-breakrequest"]="reason_XML";    }

• 暂停有javascript脚本的

if (oSession.oResponse.headers.ExistsAndContains("Content-Type", "javascript")){    oSession["x-breakresponse"]="reason is JScript";   }

提示

• 404播放声音(OnBeforeResponse)

if (oSession.responseCode == 404){       FiddlerObject.playSound("C:\\windows\\media\\ding.wav");       oSession["ui-strikeout"]="true";   }

• 在message中展示响应

var oBodyString = oSession.GetRequestBodyAsString();    if (oBodyString.Length > 0) FiddlerObject.alert(oBodyString);