​Today, we are going to discuss about a very common scenario which can compromise the security of your applications.Whenever developers do an authentication in any secured (HTTPS) application and we end up using any testing tool (burp/fiddler), password gets visible at application level. If you believe that exposed credentials are a risk to the application then you are correct.
​For example-  My application has username: swati and Password is password. This is how the credentials are exposed when I used Fiddler tool for intercepting request
​I have tested application using Fiddler tool and now explaining how it works.
There are three component here in case 1- Client device, 2- Interceptor(Burp or Fiddler), 3- Application Sever.
Step you might follow:
1 – You enter HTTPS enabled url in Browser and try to intercept in Fiddler, while you try to intercept. you will get fiddler prompt “HTTPS Decryption is disabled click to configure”, and you clicked on that prompt and that will redirect you to Fiddler -> Options -> HTTPS, and you checked on Decrypt HTTPS traffic which will ask you to install Fiddler root certificate, and ask you to configure in windows.
​If you select yes then Windows prompt you with warning  like
​If you click yes, again windows will prompt:
​If you click on yes, then with your consent you trusting on fiddler certificate and added to your device.
​In Windows Certificate manager you are able to see fiddler added certificate

​In doing so, you explicitly begin to trust any certificate signed by Fiddler’s root certificate. When you now make a https request, Fiddler will perform a Man in the middle attack with you.

In all you trusted Fiddler to decrypt your HTTPS request, by enabling to install signed certificate in your device, which should not be happen in this case.
Fiddler is installed in your device and from your device only you are accessing HTTPS site through installed browser, that’s not actually man in the middle you have all the things with you.
No one can installed any software or any CA certificate without your consent in your device, If you allow to do so, then no one can stop you.
If a person(intruder) wants to install CA certificate in your machine from his machine by some means, will you allow, I think you won’t. Then you are safe here.
I hope that this piece of information will help you to be more aware of the security risks while authenticating third party software.

​Swati Rajput

Swati Rajput is a IBM Certified Big Data Architect working as a Technical Analyst and a Client Advocate for the Marketing Suite at HCL.
Comment wrap
Further Reading
Marketing & Commerce | September 17, 2019
Unica Director – ActiveMQ Configuration for Flowchart Monitoring
Unica Director provides the users with the capabilities to monitor Campaign flowcharts. This allows the user to see flowchart execution data like (running, stopped, paused, completed, failed), etc. Additionally, the user can see the details like start time, end time, and the time taken by each process box execution. Monitoring also allows the user to check the query execution underlying to each process box. This blog explains - How flowchart execution details become available in Marketing Software Director using Active MQ? Before we start discussing on how to configure ActiveMQ, I suggest taking a look at preparations that are needed beforehand. You can refer to blog - How to get ready to install Unica Director? How it happens? Flowchart execution data is important for the marketer to plan flowchart execution activities better. A marketer needs a lot of details to be on top of execution monitoring. Moreover, this information also allows the marketer to resolve the execution failures and tune the flowchart executions better. This vital information consists of: List of all flowchart being executed Flowchart execution start/end time Flowchart execution status (running, stopped, paused, completed, failed, etc.) Flowchart process boxes execution statues Process box execution start time / end time Underlying queries being executed and time is taken by each database query in process box execution This information is primarily available with Campaign application (with Campaign analytical server). To share this information with Director, it is internally passed from Campaign analytical server to Campaign Web application. Irrespective of if the user has configured Director, or not this information would be available with Campaign web application. Campaign web application can share this information via message queue (in this case, Active MQ). This does not have any restriction on the user to configure Active MQ on Campaign web application. Active MQ...
Marketing & Commerce | August 5, 2019
How to get ready to install Unica Director?
Overview: Enterprise applications like Unica Campaign are usually deployed across complex architecture. For example – If the Campaign web application is installed on one machine (or storage), then the Campaign Analytical server (listener) is installed on a separate machine. The Campaign web application is deployed in standalone application server instance or in a clustered application server deployment. This is also possible for the Campaign Analytical server which can be deployed in the clustered environment. Now many of you would be asking; why we are talking about this deployment structure while planning to Install Unica Director. Let me try to explain this. For reference, we will be taking an example of the deployment architecture below to explain the Unica Director Server and Agent installation requirements. This reference deployment architecture includes a Load Balancer (or webserver), a clustered deployment of the Campaign web application and a clustered installation of the Campaign Analytical Server (listener) components. Unica Director – Server and Agent: Unica Director communicates in a server and client topology, the Server and Agent are two different components. The Server can be installed on any machine, this machine should not be a dedicated system but needs to be in the same subnet as Campaign components are deployed. The Server application provides capabilities like user interface, authentication, job queues, environment management, etc. The Agent should be installed on the system running the Campaign components, for example, the Agent needs to be installed on the system running Campaign Analytical Server. If the Campaign Analytical server is installed in a cluster, then the Agent needs to be installed on all machines. Also, the agent needs to be installed on a machine running the web application server where Campaign is deployed. If the web application is clustered, then the agent needs to be installed on all...
a/icon/common/search Created with Sketch.