In part one of these series I talked about how you can very easily capture mobile traffic using Fiddler.
In this second part, I will talk about how you can actually tamper with the traffic you send and receive to and from your mobile device.
Please note that tampering with traffic is not just limited to mobile traffic!
Whether you are a developer, penetration tester or just curious (I fit in to the latter category :)), being able to tamper with your requests and responses will give you a better insight in to what can be done with an application, how it will respond to specific input against what is expected, etc.
Assuming you have followed the first part of this series, tampering with the requests and responses is fairly simple.
Breakpointing all requests and responses
Go to the ‘Rules‘ tab at the top and select ‘Automatic Breakpoints‘. Now either select ‘Before Requests‘ or ‘After Responses‘.
Before requests means you can edit the request before it is sent to the server. You can also edit the response back to the client if you wish. I will show this later down.
After responses means you edit only what is sent back to the client.
Breakpointing a certain request
If you want to break point a certain request, for example POST requests sent to http://www.example.org/login, simply type bpu http://www.examle.org/login in to the little console bar like below:
Alternatively, if the request you want to breakpoint is already in the Fiddler window, just select it, type bpu then press CTRL+i and the URL will be autofilled for you.
When a breakpoint is hit, you will see a window like the below.
When you hit the breakpoint, you can tamper the request (the top pane).
When you are done, hit Break on Response to tamper the request back to the client (the bottom pane) or click Run to Completion to just tamper the request and not the response.
There is a lot you can do with Fiddler and this is only touching the surface.
Hope you found this short article useful.