遇到有些APP的HTTPS请求无法抓取!错误提示: !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < An unknown error occurred while processing the certificate for pipe (CN=*.umeng.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com).

google了下,貌似有些APP的证书不能随便构造,

这个回答提到了一种叫Certificate Pinning(证书锁定)的机制     https://stackoverflow.com/questions/33382870/how-to-capture-httpstls-1-0-communications-from-android-app-with-fiddler4

官方说:

From the Fiddler book:

Certificate Pinning

A very small number of HTTPS client applications support a feature known as “Certificate Pinning” whereby the client application is hardcoded to accept only one specific certificate. Even if the connection uses a certificate that chains to a root that is otherwise fully-trusted by the operating system, such applications will refuse to accept an unexpected certificate.

To date, some Twitter and Dropbox apps include this feature, and Windows 8 Metro apps may opt-in to requiring specific certificates rather than relying upon the system’s Trusted Root store. Firefox’s automatic browser update feature will silently fail when Fiddler is decrypting its traffic. The Microsoft Security toolkit named EMET can enable pinning in any application for certain “high-value” sites (including Windows Live). The Chrome browser supports pinning, but it exempts locally-trusted roots like Fiddler’s.

When a Certificate-Pinned application performs a HTTPS handshake through a CONNECT tunnel to Fiddler, it will examine the response’s certificate and refuse to send any further requests when it discovers the Fiddler-generated certificate. Unfortunately, there is no general-purpose workaround to resolve this; the best you can do is to exempt that application’s traffic from decryption using the HTTPS tab or by setting the x-no-decrypt Session flag on the CONNECT tunnel. The flag will prevent Fiddler from decrypting the traffic in the tunnel and it will flow through Fiddler uninterrupted.

A very small number of HTTPS client applications support a feature known as “Certificate Pinning” whereby the client application is hardcoded to accept only one specific certificate. Even if the connection uses a certificate that chains to a root that is otherwise fully-trusted by the operating system, such applications will refuse to accept an unexpected certificate. To date, some Twitter and Dropbox apps include this feature, and Windows 8 Metro apps may opt-in to requiring specific certificates rather than relying upon the system’s Trusted Root store. Firefox’s automatic browser update feature will silently fail when Fiddler is decrypting its traffic. The Microsoft Security toolkit named EMET can enable pinning in any application for certain “high-value” sites (including Windows Live). The Chrome browser supports pinning, but it exempts locally-trusted roots like Fiddler’s. When a Certificate-Pinned application performs a HTTPS handshake through a CONNECT tunnel to Fiddler, it will examine the response’s certificate and refuse to send any further requests when it discovers the Fiddler-generated certificate.

Unfortunately, there is no general-purpose workaround to resolve this; the best you can do is to exempt that application’s traffic from decryption using the HTTPS tab or by setting the x-no-decrypt Session flag on the CONNECT tunnel. The flag will prevent Fiddler from decrypting the traffic in the tunnel and it will flow through Fiddler uninterrupted.
If you're very serious about circumventing pinning, you can jailbreak the device and use any of a number of 3rd party toolkits to disable the pinning code.

大概意思就是Fiddler对这种APP的证书认证机制无能为力,只能望洋兴叹!呜呼哀哉!

有能解决这个问题的朋友麻烦留言下!!谢谢!

Fiddler无法抓取某些APP的HTTPS请求,无解!!!的更多相关文章

  1. 解决fiddler无法抓取本地部署项目的请求问题

    在本地部署了几个应用,然后想用fiddler抓取一些请求看看调用了哪些接口,然鹅,一直抓不到... 比如访问地址是这样的: 在网上搜罗半天,找到一个解决方法 在localhost或127.0.0.1后 ...

  2. 使用Burpsuite抓取手机APP的HTTPS数据

    1.所需条件 · 手机已经获取root权限 · 手机已经成功安装xposed框架 · 电脑一台 2.详细步骤 2.1 在手机上面安装xposed JustTrustMe JustTrustMe是一个去 ...

  3. 关于Charles抓取手机访问的Https请求

    准备工作 本次测试的Charles版本为3.9.1 · 首先在Charles中开启HTTP请求的远程监听. · 然后分别在手机和Mac上安装Charles的证书. 注意:证书一定要一致,否则抓取不到. ...

  4. Window下通过charles代理抓取iphone/android手机Https请求乱码问题处理

    Window下通过charles代理抓取iphone手机Https请求乱码问题 如果保持默认设置,https的reqeust和response都是乱码,设置完之后https就可以抓包了 手机端操作: ...

  5. Fiddler高级用法-抓取手机app数据包

    在上一篇中介绍了Fiddler的基本使用方法.通过上一篇的操作我们可以直接抓取浏览器的数据包.但在APP测试中,我们需要抓取手机APP上的数据包,应该怎么操作呢? Andriod配置方法 1)确保手机 ...

  6. Fiddler 4 抓包(APP HTTPS )

    一.手机连接Fiddler 1.配置fiddler 1.安装fiddler,基本下一步下一步即可: 2.打开fiddler,点击顶部栏Tools——>Options 3.在HTTPS页签勾选“D ...

  7. 使用Fiddler抓取手机APP数据包--360WIFI

    使用Fiddler抓取手机APP流量--360WIFI 操作步骤:1.打开Fiddler,Tools-Fiddler Options-Connections,勾选Allow remote comput ...

  8. 《吐血整理》高级系列教程-吃透Fiddler抓包教程(26)-Fiddler如何抓取Android7.0以上的Https包-上篇

    1.简介 众所周知,假如设备是android 7.0+的系统同时应用设置targetSdkVersion >= 24的话,那么应用默认是不信任安装的Fiddler用户证书的,所以你就没法抓到应用 ...

  9. Fiddler捕获抓取 App端数据包

    最近项目设计到App抓包,所以采用Fiddler工具来采集获取APP数据包,但是fiddler对有些app是无法捕获到数据包的,以下是我的处理方法: 1. 我默认代理端口使用的是自定义的端口而不是默认 ...

随机推荐

  1. Dynamics 365Online Server-Side OAuth身份认证

    在上篇演示了在html页面中通过调用online的OAuth身份验证后再通过web api取10条客户数据并展示,本篇继续讲述如何在server-side程序中调用online的OAuth认证再通过w ...

  2. 用windows浏览器打开Linux的Jupyter notebook开发、调试示例

    1.场景,在windows浏览器中打开Linux环境下的jupyter notebook.Jupyter notebook开启远程服务,Spark.python计算环境在Linux服务器中,而工作环境 ...

  3. FI配置清单-概要

    1.编辑公司代码 T-Code:OX02 路径:IMG >企业结构Enterprise >定义Definition >财务会计 Financial Accounting>编辑, ...

  4. Application_Start 多次启动问题

    最近在重构一个项目,在重构过程中出现了Application_Start 多次启动的问题,查询资料说是应用程序池内的修改会导致这个问题,后来发现确实如此 因为在重构过程中,我将数据库文件(sqlite ...

  5. JSP内置对象——session对象

    举个购物流程的例子: 这整个购物过程,它是属于一次回话.那么这个session是保存在服务器内存当中,并且它保存着不同用户对应的session,一个用户对应一个session.看下面这幅图: 从图中可 ...

  6. Android Studio动态调试smali代码

    工具: Android Studio版本: 3.0.1 smalidea插件: https://github.com/JesusFreke/smali/wiki/smalidea. 反编译工具:本节先 ...

  7. Expo大作战(二十七)--expo sdk api之Util(expo自带工具类),tackSnapshotAsync,Svg,SQLite

    简要:本系列文章讲会对expo进行全面的介绍,本人从2017年6月份接触expo以来,对expo的研究断断续续,一路走来将近10个月,废话不多说,接下来你看到内容,讲全部来与官网 我猜去全部机翻+个人 ...

  8. linux正则表达式(基础正则表达式+扩展正则表达式)

    正则表达式应用非常广泛,例如:php,Python,java等,但在linux中最常用的正则表达式的命令就是grep(egrep),sed,awk等,换句话 说linux三剑客要想能工作的更高效,就一 ...

  9. tar压缩/解压用法

    格式:tar zcvf 压缩后的路径及包名 你要压缩的文件 z:gzip压缩 c:创建压缩包 v:显示打包压缩解压过程 f:接着压缩 t:查看压缩包内容 x:解压 X:指定文件列表形式排除不需要打包压 ...

  10. python Pipe 双管道通信

    管道:是python多进程中一种交换数据的方式 from multiprocessing import Process,current_process,Queue,Pipe import time i ...