Update 4/15/2019 – added GraphRbacManagementClient section

Introduction:

Capturing encrypted HTTPS web traffic in Python with Fiddler can be tricky mainly because Python uses its own trusted certificate store instead of the OS’s certificate store and in certain scenario, python does not use proxy by default.  This post will cover how to capture SSL traffic using Fiddler for a few different scenario:

ADAL for Python:

The problem with this case is one will get an SSL error related to certificate since Python does not trust Fiddler certificate.  There are a couple of ways to resolve this:

  1. Set the following environment variable at the beginning of the application before initializing the AuthenticationContext object

import os

os.environ[‘ADAL_PYTHON_SSL_NO_VERIFY‘] = “1”

  1. Pass the verify_ssl flag to AuthenticationContext method:

# use verify_ssl=False to capture Fiddler traffic

context = adal.AuthenticationContext(authority,verify_ssl=False)

Python Requests Module:

The Requests module does not use Proxy by default so we have to force the request to go through Fiddler proxy.  Below is an example showing how to do this.

Note:  Usually Fiddler is configured to listen to port 8888. I have changed this on my system to use port 9999

import requests

access_token = token.get(‘accessToken’)

endpoint = ‘https://graph.windows.net/<mytenant>.onmicrosoft.com/users/test1@<mytenant>.onmicrosoft.com?api-version=1.6

headers = {“Authorization”: ‘Bearer ‘ + access_token}

json_output = requests.get(endpoint,headers=headers,proxies={“http”: “http://127.0.0.1:9999“,”https”:”http:127.0.0.1:9999″},verify=False).json()

AAD Libraries for Python / GraphRbacManagementClient:

from azure.graphrbac import GraphRbacManagementClient
from azure.common.credentials import UserPassCredentials

credentials = UserPassCredentials(
      <username>,    # Your user name
      <password>,    # Your password
      resource=”https://graph.windows.net”,
      verify=False
)
tenant_id = <tenant name or tenant id>
graphrbac_client = GraphRbacManagementClient(credentials, tenant_id)
graphrbac_client.config.connection.verify=False
res = graphrbac_client.users.get(<UPN or ObjectID>)
print(res.display_name)

References:

https://stackoverflow.com/questions/7694789/fiddler-doesnt-capture-python-http-request

https://quantdevblog.wordpress.com/2016/01/11/python-packet-sniffing-decrypting-on-secure-sockets-with-fiddler/

Leave a Reply

avatar
  Subscribe  
Notify of