0

I am trying to parse decrypted TLS/SSL from a .NET client, using Fiddler. After using the "from Deflated SAML" tool in the Text Wizard, I get a mix of binary and clear text. I would like to get the entire response in clear text. Here are some examples:

Request:

<?xml version="1.0" encoding="utf-8"?><soap:Envelopexmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><ProcessQuery xmlns:= "DUMMYTEXT"><requestArgs>"DUMMYTEXT"</requestArgs><dataArgs>"DUMMYTEXT"</dataArgs></ProcessQuery></soap:Body></soap:Envelope>

The reply from the server:

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><ProcessQueryResponse xmlns=/* snip */><ProcessQueryResult>7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ifo1f89f4NX6N/5se/MTz6+CX3+j1ddPmi/HZsr23hw9+/cXvf5mV6/zX+A3+9S9/rV/jN/x/AA==</ProcessQueryResult></ProcessQueryResponse></soap:Body></soap:Envelope>

After the "from DeflatedSAML" transform:

������������������System.Int32���m_value��O�

There is a mix of binary and clear text in the response. Another example response, after transforming from DeflatedSAML:

������������������������
SessionLog���SessionLogInsert����
������������������� ...

Again, a mix of text and binary. Other larger packets/sessions, when transformed from deflated SAML:

������������������NSystem.Data, /* snip */ ��System.Data.DataSet���DataSet.RemotingVersionDataSet.RemotingFormatDataSet.DataSetNameDataSet.NamespaceDataSet.PrefixDataSet.CaseSensitiveDataSet.LocaleLCIDDataSet.EnforceConstraintsDataSet.ExtendedPropertiesDataSet.Tables.CountDataSet.Tables_0DataTable_0.ConstraintsDataSet.Relations#DataTable_0.DataColumn_0.Expression#DataTable_0.DataColumn_1.Expression#DataTable_0.DataColumn_2.Expression#DataTable_0.DataColumn_3.Expression#DataTable_0.DataColumn_4.ExpressionDataTable_0.Rows.CountDataTable_0.Records.CountDataTable_0.RowStatesDataTable_0.RecordsDataTable_0.NullBitsDataTable_0.RowErrorsDataTable_0.ColumnErrors������System.VersionSystem.Data.SerializationFormat���System.Data.PropertyCollection���System.Collections.ArrayListSystem.Collections.ArrayListSystem.Collections.BitArraySystem.Collections.ArrayListSystem.Collections.ArrayListSystem.Collections.HashtableSystem.Collections.Hashtable���   �������System.Data.SerializationFormat���value__����������AccessControlSettings����    ����   ��    ������    ���        ���
��� ���    ���    ���    ���    ���1���1���    ���
��� ���    ���    ������System.Version���_Major_Minor_Build   _Revision����������������������System.Data.PropertyCollection���
LoadFactorVersionComparerHashCodeProviderHashSizeKeysValues���System.Collections.IComparer$System.Collections.IHashCodeProvider����Q8?����

��� ���
����System.Data.DataSetDateTime���value__���������������
���RoleName
    ������������������������������ ���    �������   ���    ���    ����������������������
���
FunctionID
    ������������������������������� ���    ��������

My question is, how do I decode (or is it unserialize?) the binary values, so that the entire message is in clear text? How does Fiddler do the decoding? Can I do it programmatically, for every packet/session? I cannot modify either the server or the client.

I have tried:

  1. WCF Binary Inspector. Results: "the input source is not correctly formatted"
  2. Wireshark. Learnt about public/private key encryption, decrypting SSL sessions, etc, but did not apply here since the client is using ECDHE encyption and is not browser-based.
  3. Charles Proxy. Did not get too far, is the same as Fiddler but requires a license.
  4. JSON inspector in Fiddler. Results: Invalid text at position x
  5. Various SO posts like this
beevor
  • 131
  • 1
  • 6
  • Is it from a redirect (in query parameter) or POST (form) binding? The first needs to be URL decoded the second doesn't. – Andrew K. Dec 06 '17 at 04:47
  • @Andrew It is from POST. It is not URL encoded. – beevor Dec 06 '17 at 07:35
  • If it's doing Form POST properly, then it shouldn't be DEFLATEd, just Base64 encoded... But there's something else wrong in there, I think. – Andrew K. Dec 07 '17 at 13:41
  • From the POST it isn't deflated. The program does the deflating. After deflating, the binary content is mixed with clear text. What I'd like to get is everything in clear text. – beevor Dec 12 '17 at 08:20
  • I can totally agree that what you want is the clear text - it's useless otherwise. I think you should ask what process the STS is following - because I can't come up with anything that works following spec... unDEFLATE+Base64 Decode, Base64 Decode, etc. None of it works, which tells me that the STS is doing something "different" than spec, which makes me believe that the STS is "homegrown"... Which means it could be doing... Anything. – Andrew K. Dec 12 '17 at 14:30
  • Did you ever get this sorted? Seeing the same thing when using WCF Binary Message Inspector "The input source is not correctly formatted" https://github.com/waf/WCF-Binary-Message-Inspector – john.acb Jan 09 '20 at 00:53
  • @john.acb No, I didn't get it sorted. – beevor Jan 10 '20 at 07:05

0 Answers0