Monthly Archives: September 2015

Intercepting and creating SOAP messages using Fiddler

The title of this post is specific to a requirement I have which is part of a security audit which requires that I test the role based security on some of our servers.

I need to intercept SOAP messages from one of the .NET client applications I maintain and then change data within the message to try to impersonate other users to see whether the server code correctly allows/disallows user access via it’s role based security.

Obviously, if you know Fiddler (now from Telerik) you’ll know that we can intercept any network traffic between the machine we’re using and some server – we’re just going to touch on some of the very basics of using Fiddler.

Setting things up

So continuing down the path of the requirements I have. The first thing I need to do (prior to starting the client application) is to run Fiddler. I’m currently using Fiddler 4.4.9.9.

You may notice calls to the web or the likes over HTTP in the left hand pane of Fiddler. This is where we’ll see individual calls to our server(s). But before we can run our client application we need to ensure it uses Fiddler – so in my case I need to add/change the system.net section of the .NET application configuration file to look like the following

<system.net>
   <defaultProxy>
      <proxy bypassonlocal="false" usesystemdefault="true" />
   </defaultProxy>
</system.net>

Now the client will use Fiddler as the proxy.

See Configure .NET Applications for more information of this subject

Okay, at this point we can run our .NET client and we should start seeing calls to any servers appearing within the left hand pane of Fiddler (obviously when they’re made via the client).

Once the application started I used Fiddler’s “Any process” button (a gun sight style icon on the toolbar) to select the .NET application so to reduce the traffic I would see in Fiddler.

Capturing a message

We’re not going to dive too deep into Fiddler for this post, but instead we’ll just look at how to use Fiddler to carry out the specifics of the requirements outlined at the start of this post.

Next up we’re going to make the client application do some task – in my case we’re using a read/write role so I can get a message that is valid for a user with these permissions.

So now I run the functionality on the client which will result in a server call and generate the SOAP message I want to capture. It should appear in the left hand pane of Fiddler. If we double click on the specific entry on the left hand pane the right hand pane of Fiddler will show us the Inspectors view. From here we can look at the SOAP message using various viewers.

Now switch to the RAW view of the bottom part of the Inspectors pane and press the View in Notepad. At this point I delete the HTTP header and am left with the raw message (in my case starting with <?xml to the end of the document).

Okay, we’ve captured the SOAP message, the next step is to change information within the SOAP message to impersonate a lower permission user. Obviously this depends on how you might pass the data for such user information, whether it’s within the header or envelope. Whether such information is plain text of encrypted.

Creating (or composing) a message

We’ve captured an existing message and changes the user details within the message. Now we’re going to use Fiddler to send the message to the server.

Select the Composer tab in the right hand pane of Fiddler. In my case I need to set the message to be a POST and I supply the full URL.

The top pane of this composer view will update with any response from the server and be default has the User-Agent set to Fiddler (obviously you can change this to suit).

In the request body we copy our previously captured and altered SOAP message and paste it into the request body section. Now simply press the Execute button at the top right of the Composer view and your request should be sent to the specified URL.

Obviously I had a very specific requirement for using Fiddler but ofcourse you might use it to simply capture various messages in whatever format you use and replaying them as part of a test suite or the likes.

.NET CLR Version Tool

I’d not come across this tool before, but whilst checking the location of the sn.exe tool I spotted it and thought I’d see what it did.

So the clrver.exe can be run from the Visual Studio command prompt or found at a location where your SDK exists, for example

"%ProgramFiles%\\Microsoft SDKs\Windows\v8.0A\bin\NETFX 4.0 Tools\clrver.exe"

Just running clrver.exe without any arguments will tell you which versions of the CLR are installed on your machine, whilst using the switch -all will result in a list of applications/processes running using the .NET CLR and tells us the version they’re using. If you already know the process id (pid) you can use clrver 123 to list the .NET CLR version being used by pid 123.

Observable.FromEventPattern discussed

I was actually looking through my past blog posts and noticed I’ve never published anything on Reactive Extensions (Rx). I actually have a draft “beginners” guide which I started a couple of years back, but never completed, so I may end up publishing that at a later date.

Note: The best resource for Rx information that I’ve found is Introduction to Rx, I’d definitely recommend you visit that site for complete and excellent documentation on Rx.

Okay, for this post I’m just going to focus on the FromEventPattern. Even though the syntax is pretty simple I have a habit of forgetting it everytime I come to use it, so as this blog is about refreshing my memory, I thought I’d write a blog post dedicated to this method.

Why use Rx instead of handling events in the conventional way?

One of the most obvious reasons to use Rx to handle events is that it can help stop those pesky memory leaks when we forget to unsubscribe to an event. Another reason is the IObservable returned from FromEventPattern is composable and we can filter events that we’re not interested in and/or marshal events from one thread onto another – for example when events are coming from a worker thread we might marshal them onto the UI thread.

Take a look at Observable.FromEventPattern Method to see the current syntax/overloads for this method.

I will not be covering all the overloads here but will instead look at the three I’ve used the most. So let’s get started…

FromEventPattern with an EventHandler which takes no EventArgs

In some cases you might have an event handler which doesn’t use EventArgs, for example

public event EventHandler Reverted;

in such a case we use the overload

public static IObservable<EventPattern<EventArgs>> FromEventPattern(
	Action<EventHandler> addHandler,
	Action<EventHandler> removeHandler)

So our code might look like this

var o = Observable.FromEventPattern(
   x => domainObject.Changed += x,
   x => domainObject.Changed -= x).
   Subscribe(_ => DoSomething());

FromEventPattern with standard event patterns (using the EventHandler class)

Building on the previous syntax…

In many cases, where the events that we want to subscribe to, use the “standard .NET event pattern”, (for example where the handler takes an EventArgs derived class) and were declared using the syntax

public event EventHandler<CellsInViewChangedEventArgs> CellsInViewChanged;

we will use this overload. Note: This version expects an EventHandler<> object.

public static IObservable<EventPattern<TEventArgs>> FromEventPattern<TEventArgs>(
	Action<EventHandler<TEventArgs>> addHandler,
	Action<EventHandler<TEventArgs>> removeHandler
)
where TEventArgs : EventArgs

To use this we simple supply the EventArgs derived type, for example

var o = Observable.FromEventPattern<CellsInViewChangedEventArgs>(
   x => grid.CellsInViewChanged += x,
   x => grid.CellsInViewChanged -= x).
   Subscribe(_ => DoSomething());

FromEvent pattern with standard event patterns (not using the Event Handler class)

Finally, for this post, in some cases we have events which do not use the EventHandler<> class, for example the WPF RoutedEvents use 

public delegate void RoutedEventHandler(
   object sender, 
   System.Windows.RoutedEventArgs e)

In such cases we need to supply both the Delegate type and EventArgs type to the FromEventPattern, hence we use the syntax

public static IObservable<EventPattern<TEventArgs>> FromEventPattern<TDelegate, TEventArgs>(
	Action<TDelegate> addHandler,
	Action<TDelegate> removeHandler
)
where TEventArgs : EventArgs

our code will now look like this

var o = Observable.FromEventPattern<RoutedEventHandler, RoutedEventArgs>(
   x => button.Click += x,
   x => button.Click -= x).
   Subscribe(_ => DoSomething());

More…

I don’t intend to cover all the possible uses of the IObservable which is returned by the FromEventPattern, but suffice to say (as mentioned earlier). We can ensure events are marshaled onto the thread which created the observable, so for example if we create this from the UI thread we can write

var o = Observable.FromEventPattern<ValuesChangedEventArgs>(
   x => server.ValuesChanged += x,
   x => server.ValuesChanged -= x).
   ObserveOn(SynchronizationContext.Current).
   Subscribe(_ => DoSomething());

here, the ObserveOn will ensure that the events that might be coming from a worker thread are marshaled onto the current thread. Obviously if this was created on the UI thread this will marshal back onto that thread.

Creating awaitable types

If you’ve used async/await in your applications, you’ll generally await a Task, but you can actually make your own type awaitable. Let’s look at how we’d do this.

Why are Task’s awaitable?

A Task is awaitable, not because it’s a Task type, but its because it supports a specific method name which returns a TaskAwaiter or TaskAwaiter for the Task type. So let’s take a look at what this method looks like

public TaskAwaiter GetAwaiter()

So it’s really that simple, if we want to make our object awaitable we simply define the same method in our type.

What is a TaskAwaiter?

A TaskAwaiter is a struct which implements the ICriticalNotifyCompletion interface and the INotifyCompletion interface (the ICriticalNotifyCompletion derives from the INotifyCompletion). But this still wouldn’t make the TaskAwaiter awaitable it also needs the property IsCompleted and the method GetResult – more on this in “the rules for an “Awaiter” type” below.

It does seem strange that these methods weren’t all put into a single interface, but there you have it.

How do I create a bare minimum awaitable type?

Let’s first review the rules for making our type awaitable

  • Our type should have a method named GetAwaiter which takes no arguments and returns a suitable “Awaiter” type

and now the rules for an “Awaiter” type

  • The type should implement the INotifyCompletion interface or the ICriticalNotifyCompletion interface
  • It should have a IsCompleted property of type boolean
  • It should have a GetResult method which returns void or a result value

      • and now let’s put this together into a somewhat pointless type which demonstrates a bare minimum set of requirements to get this type to be awaitable

      public class MyObject
{
   public MyAwaiter GetAwaiter()
   {
      return new MyAwaiter();
   }
}

public struct MyAwaiter
{
   public void OnCompleted(Action continuation)
   {
      continuation();
   }

   public bool IsCompleted { get; private set; }

   public void GetResult()
   {			
   }
}

      and now in use, we would have something like this

      var o = new MyObject();
await o;

      Note: if you do not call the conitnuation() action in the OnCompleted method the code will block indefinitely.

      The flow of this code goes as follows…

      await o is called, this calls GetAwaiter on MyObject which returns a MyAwaiter. Next IsCompleted is checked, if the awaiter has already completed then control returns to the line after the await, if it’s false OnCompleted is called which basically blocks until the continuation is called, finally the GetResult method is called.

      Extension methods that are awaitable

      So we’ve discussed creating our own type, making it awaitable and even creating an awaiter type, but another approach which one might use is creating extension methods and instead of going to the hassle of creating an awaiter type, we’ll simply reuse the TaskCompletionSource type which can be used as a puppet task.

      Let’s go straight to some code which I’ve unashamedly lifted from Stephen Toub’s blog post await anything.

      public static TaskAwaiter<int> GetAwaiter(this Process process)
{
   var tcs = new TaskCompletionSource<int>();
   process.EnableRaisingEvents = true;
   process.Exited += (s, e) => tcs.TrySetResult(process.ExitCode);
   if (process.HasExited)
   {
      tcs.TrySetResult(process.ExitCode);
   }
   return tcs.Task.GetAwaiter();
}

      and we would use this as follows

      await Process.Start(“notepad.exe”)

      Looking at the extension method you can see we’re going to use the TaskCompletion classes GetAwaiter to return the awaiter type (in this case a TaskAwaiter) and we simply try to set the result on the TaskCompletionSource if, or when, the process exits.

      References

      await anything
      Design change: new “await” pattern for greater efficiency