​Today, we are going to discuss about a very common scenario which can compromise the security of your applications.Whenever developers do an authentication in any secured (HTTPS) application and we end up using any testing tool (burp/fiddler), password gets visible at application level. If you believe that exposed credentials are a risk to the application then you are correct.
​For example-  My application has username: swati and Password is password. This is how the credentials are exposed when I used Fiddler tool for intercepting request
​I have tested application using Fiddler tool and now explaining how it works.
There are three component here in case 1- Client device, 2- Interceptor(Burp or Fiddler), 3- Application Sever.
Step you might follow:
1 – You enter HTTPS enabled url in Browser and try to intercept in Fiddler, while you try to intercept. you will get fiddler prompt “HTTPS Decryption is disabled click to configure”, and you clicked on that prompt and that will redirect you to Fiddler -> Options -> HTTPS, and you checked on Decrypt HTTPS traffic which will ask you to install Fiddler root certificate, and ask you to configure in windows.
​If you select yes then Windows prompt you with warning  like
​If you click yes, again windows will prompt:
​If you click on yes, then with your consent you trusting on fiddler certificate and added to your device.
​In Windows Certificate manager you are able to see fiddler added certificate

​In doing so, you explicitly begin to trust any certificate signed by Fiddler’s root certificate. When you now make a https request, Fiddler will perform a Man in the middle attack with you.

In all you trusted Fiddler to decrypt your HTTPS request, by enabling to install signed certificate in your device, which should not be happen in this case.
Fiddler is installed in your device and from your device only you are accessing HTTPS site through installed browser, that’s not actually man in the middle you have all the things with you.
No one can installed any software or any CA certificate without your consent in your device, If you allow to do so, then no one can stop you.
If a person(intruder) wants to install CA certificate in your machine from his machine by some means, will you allow, I think you won’t. Then you are safe here.
I hope that this piece of information will help you to be more aware of the security risks while authenticating third party software.


​Swati Rajput

Swati Rajput is a IBM Certified Big Data Architect working as a Technical Analyst and a Client Advocate for the Marketing Suite at HCL.
Further Reading