遇到有些APP的HTTPS请求无法抓取!错误提示: !SecureClientPipeDirect failed: System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. < An unknown error occurred while processing the certificate for pipe (CN=*.umeng.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com).

google了下,貌似有些APP的证书不能随便构造,

这个回答提到了一种叫Certificate Pinning(证书锁定)的机制     https://stackoverflow.com/questions/33382870/how-to-capture-httpstls-1-0-communications-from-android-app-with-fiddler4

官方说:

From the Fiddler book:

Certificate Pinning

A very small number of HTTPS client applications support a feature known as “Certificate Pinning” whereby the client application is hardcoded to accept only one specific certificate. Even if the connection uses a certificate that chains to a root that is otherwise fully-trusted by the operating system, such applications will refuse to accept an unexpected certificate.

To date, some Twitter and Dropbox apps include this feature, and Windows 8 Metro apps may opt-in to requiring specific certificates rather than relying upon the system’s Trusted Root store. Firefox’s automatic browser update feature will silently fail when Fiddler is decrypting its traffic. The Microsoft Security toolkit named EMET can enable pinning in any application for certain “high-value” sites (including Windows Live). The Chrome browser supports pinning, but it exempts locally-trusted roots like Fiddler’s.

When a Certificate-Pinned application performs a HTTPS handshake through a CONNECT tunnel to Fiddler, it will examine the response’s certificate and refuse to send any further requests when it discovers the Fiddler-generated certificate. Unfortunately, there is no general-purpose workaround to resolve this; the best you can do is to exempt that application’s traffic from decryption using the HTTPS tab or by setting the x-no-decrypt Session flag on the CONNECT tunnel. The flag will prevent Fiddler from decrypting the traffic in the tunnel and it will flow through Fiddler uninterrupted.

A very small number of HTTPS client applications support a feature known as “Certificate Pinning” whereby the client application is hardcoded to accept only one specific certificate. Even if the connection uses a certificate that chains to a root that is otherwise fully-trusted by the operating system, such applications will refuse to accept an unexpected certificate. To date, some Twitter and Dropbox apps include this feature, and Windows 8 Metro apps may opt-in to requiring specific certificates rather than relying upon the system’s Trusted Root store. Firefox’s automatic browser update feature will silently fail when Fiddler is decrypting its traffic. The Microsoft Security toolkit named EMET can enable pinning in any application for certain “high-value” sites (including Windows Live). The Chrome browser supports pinning, but it exempts locally-trusted roots like Fiddler’s. When a Certificate-Pinned application performs a HTTPS handshake through a CONNECT tunnel to Fiddler, it will examine the response’s certificate and refuse to send any further requests when it discovers the Fiddler-generated certificate.

Unfortunately, there is no general-purpose workaround to resolve this; the best you can do is to exempt that application’s traffic from decryption using the HTTPS tab or by setting the x-no-decrypt Session flag on the CONNECT tunnel. The flag will prevent Fiddler from decrypting the traffic in the tunnel and it will flow through Fiddler uninterrupted.
If you're very serious about circumventing pinning, you can jailbreak the device and use any of a number of 3rd party toolkits to disable the pinning code.

大概意思就是Fiddler对这种APP的证书认证机制无能为力,只能望洋兴叹!呜呼哀哉!

有能解决这个问题的朋友麻烦留言下!!谢谢!

Fiddler无法抓取某些APP的HTTPS请求,无解!!!的更多相关文章

  1. 解决fiddler无法抓取本地部署项目的请求问题

    在本地部署了几个应用,然后想用fiddler抓取一些请求看看调用了哪些接口,然鹅,一直抓不到... 比如访问地址是这样的: 在网上搜罗半天,找到一个解决方法 在localhost或127.0.0.1后 ...

  2. 使用Burpsuite抓取手机APP的HTTPS数据

    1.所需条件 · 手机已经获取root权限 · 手机已经成功安装xposed框架 · 电脑一台 2.详细步骤 2.1 在手机上面安装xposed JustTrustMe JustTrustMe是一个去 ...

  3. 关于Charles抓取手机访问的Https请求

    准备工作 本次测试的Charles版本为3.9.1 · 首先在Charles中开启HTTP请求的远程监听. · 然后分别在手机和Mac上安装Charles的证书. 注意:证书一定要一致,否则抓取不到. ...

  4. Window下通过charles代理抓取iphone/android手机Https请求乱码问题处理

    Window下通过charles代理抓取iphone手机Https请求乱码问题 如果保持默认设置,https的reqeust和response都是乱码,设置完之后https就可以抓包了 手机端操作: ...

  5. Fiddler高级用法-抓取手机app数据包

    在上一篇中介绍了Fiddler的基本使用方法.通过上一篇的操作我们可以直接抓取浏览器的数据包.但在APP测试中,我们需要抓取手机APP上的数据包,应该怎么操作呢? Andriod配置方法 1)确保手机 ...

  6. Fiddler 4 抓包(APP HTTPS )

    一.手机连接Fiddler 1.配置fiddler 1.安装fiddler,基本下一步下一步即可: 2.打开fiddler,点击顶部栏Tools——>Options 3.在HTTPS页签勾选“D ...

  7. 使用Fiddler抓取手机APP数据包--360WIFI

    使用Fiddler抓取手机APP流量--360WIFI 操作步骤:1.打开Fiddler,Tools-Fiddler Options-Connections,勾选Allow remote comput ...

  8. 《吐血整理》高级系列教程-吃透Fiddler抓包教程(26)-Fiddler如何抓取Android7.0以上的Https包-上篇

    1.简介 众所周知,假如设备是android 7.0+的系统同时应用设置targetSdkVersion >= 24的话,那么应用默认是不信任安装的Fiddler用户证书的,所以你就没法抓到应用 ...

  9. Fiddler捕获抓取 App端数据包

    最近项目设计到App抓包,所以采用Fiddler工具来采集获取APP数据包,但是fiddler对有些app是无法捕获到数据包的,以下是我的处理方法: 1. 我默认代理端口使用的是自定义的端口而不是默认 ...

随机推荐

  1. JS--我发现,原来你是这样的JS(四)(看看变量,作用域,垃圾回收机制是啥)

    一.介绍 这是红宝书(JavaScript高级程序设计 3版)的读书笔记第四篇,是红宝书第四章内容(主要是变量和作用域问题),当然其中还有我个人的理解.红宝书这本书可以说是难啃的,要看完不容易,挺厚的 ...

  2. windows10 java环境变量设置

    由于安装的是jdk1.8所以不需要配置classpath了,只需要配置java_home和path即可. 我的电脑 -> 右键属性 -> 高级系统设置 -> 高级 -> 环境变 ...

  3. Android网络编程系列之HTTP协议原理总结

    前言 作为搞移动开发的我们,免不了与网络交互打交道.虽然市面上很多开源库都封装的比较到位,我们实现网络访问也轻车熟路.但还是十分有必要简要了解一下其中的原理,以便做到得心应手,也是通往高级开发工程师甚 ...

  4. LeetCode题解之Unique Paths

    1.题目描述 2. 问题分析 使用动态规划求解 3.代码 int uniquePaths(int m, int n) { vector<vector<)); ; i < m; i++ ...

  5. webstorm使用过程中的一些问题与技巧

    这一篇会随着使用逐渐更新: 1. 问题:string templates are not supported by current javascript version 解决 : setting &g ...

  6. IAM页面是在统一区分配的还是在混合区分配的?

    IAM页面是在统一区分配的还是在混合区分配的? IAM页面的作用这里就不说了,网上的资料很多 文章中用到的工具:查看SQLSERVER内部数据页面的小插件Internals Viewer 先建立四张表 ...

  7. Microsoft SQL 关系数据库的使用指南

    Microsoft SQL 关系数据库的使用指南 https://docs.microsoft.com/zh-cn/sql/relational-databases/database-features

  8. months_between()用法

    orcl中months_between()函数用法如下: 格式:即MONTHS_BETWEEN(日期1,日期2) 例如: select months_between(to_date('2018-10- ...

  9. Linux 辅助命令

    0. 说明 记录在 Linux 使用过程中的一些有帮助的命令 1. 命令集合 [1.1 错误输出重定向] # 将错误信息重定向到 /dev/null source /xxx >/dev/null ...

  10. 【转】MySQL双主一致性架构优化

    [原文]https://www.toutiao.com/i6594414914838725133/ 一.双主保证高可用 MySQL数据库集群常使用一主多从,主从同步,读写分离的方式来扩充数据库的读性能 ...