How do I use Fiddler to modify the status code in an HTTP response?

Question

I need to test some client application code I\'ve written to test its\' handling of various status codes returned in an HTTP response from a web server.

I have Fiddler 2

Answer 1

Another alternative is to use Fiddler's AutoResponder tab (on the right-hand panel). This allows you to catch a request to any URI that matches a string and serve a "canned" response from a file. The file can contain both headers and payload. The advantage of this approach is that you don't have to write FiddlerScript and you don't have to handle each request manually via a breakpoint.

You would set the rule up in Fiddler like shown below (ensure you enable unmatched requests passthrough otherwise all other http requests will fail).

In this example, any request whose URI includes "fooBar" will get the canned response. The format of the file will vary depending on your APIs (you can use your browser to intercept a "real" response and base it on that) but mine looked like the following:

HTTP/1.1 409 Conflict
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, DELETE, PUT, PATCH, OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
Access-Control-Max-Age: 86400
Content-Type: application/vnd.api+json
Content-Length: 149
Date: Tue, 28 Mar 2017 10:03:29 GMT

{"errors":[{"code":"OutOfStock","detail":"Item not in stock","source":{"lineId":{"type":"Order line Number","id":"1"}},"meta":{"availableStock":0}}]}

I found that it needed a carriage return at the end of the last line (i.e. after the json), and that the Content-Length header had to match the number of characters in the json, otherwise the webapp would hang. Your mileage may vary.

Answer 2

Create a FiddlerScript rule. Here's what I used in order to generate a local copy of a website that was intentionally using 403 on every page to thwart HTTrack/WGET. https://gist.github.com/JamoCA/22db8d68a9a2fb20cb04a85360185333

/* 20180615 Fiddler rule to ignore all 403 HTTP Status errors so WGET or HTTrack can generate local copy of remote website */
   SCENARIO: Changing the user agent or setting a delay isn't enough and the entire remote server is configured to respond w/403.
   CONFIGURE: Add below rule to FiddlerScript OnBeforeReponse() section.  Configure HTTrack/WGET/CRON to use proxy 127.0.0.01:8888 */

static function OnBeforeResponse(oSession: Session) {
  if (oSession.HostnameIs("TARGETHOSTNAME_FILTER.com") && oSession.responseCode == 403) {
    oSession.responseCode = 200;
    oSession.oResponse.headers.HTTPResponseCode = 200;
    oSession.oResponse.headers.HTTPResponseStatus = "200 OK";
  }
}

Answer 3

Ok, so I assume that you're already able to monitor your client/server traffic. What you want to do is set a breakpoint on the response then fiddle with it before sending it on to the client.

Here are a couple of different ways to do that:

1. Rules > Automatic Breakpoints > After Responses
2. In the quickexec box (the black box at the bottom) type "bpafter yourpage.svc". Now Fiddler will stop at a breakpoint before all requests to any URL that contains "yourpage.svc". Type "bpafter" with no parameters to clear the breakpoint.
3. Programmatically tamper with the response using FiddlerScript. The best documentation for FiddlerScript is on the official site: http://www.fiddler2.com/Fiddler/dev/

Once you've got a response stopped at the breakpoint, just double click it to open it in the inspectors. You've got a couple of options now:

1. Right next to the green Run to Completion button (which you click to send the response) there's a dropdown that lets you choose some default response types.
2. Or, on the Headers inspector, change the response code & message in the textbox at the top.
3. Or, click the "Raw" inspector and mess with the raw response to do arbitrary things to it. Also a good way to see what your client does when it gets a malformed response, which you'll probably test accidentally :)