topic Re: Blocking .xml files from being visable in web dubugger programs ie: Fiddler in ArcGIS Viewer for Flex Questions

Blocking .xml files from being visable in web dubugger programs ie: Fiddler

MattPohl — Wed, 22 May 2013 19:17:55 GMT

I am curious if there is any way to block the visibility of .xml files when tracking web traffic in programs such as Fiddler. Attached is a screen shot showing the situation. For instance, I can see the config.xml file for my application in Fiddler which can than be opened. Once opened, the tokens used to pass the secure services through the FlexViewer become visible. I am not using a reverse proxy setup, but not sure if that would resolve the issue. Any thoughts would be greatly appreciated.

Matt

Re: Blocking .xml files from being visable in web dubugger programs ie: Fiddler

TimDine — Tue, 28 May 2013 11:24:22 GMT

Fiddler can accept regular expressions in it's filter tab. Check the "Show only if URL contains" check box. Enter an expression like "REGEX:(?insx).*[^(css|png|xml)]$" in the text box without quotes. This expression would hide css, png, and xml files.

http://fiddler2.com/documentation/KnowledgeBase/Filters

Re: Blocking .xml files from being visable in web dubugger programs ie: Fiddler

MattPohl — Tue, 28 May 2013 11:38:55 GMT

Tim-

Thanks for your response. Yes, this would block those types of files from being displayed in Fiddler for computers I have access to, but not client computers. My goal would be to block the visability of .xml files from everybody thus keeping the tokens truly secure from everyone who had access to the application.

~Matt

Re: Blocking .xml files from being visable in web dubugger programs ie: Fiddler

BjornSvensson — Wed, 29 May 2013 19:26:14 GMT

My goal would be to block the visability of .xml files from everybody thus keeping the tokens truly secure from everyone who had access to the application.

That's not possible. If the "application" can see it, then Fiddler etc can see it.

Re: Blocking .xml files from being visable in web dubugger programs ie: Fiddler

MattPohl — Wed, 29 May 2013 19:34:06 GMT

Thanks Bjorn, this was my assumption but thought I would ask anyway.

~Matt

Re: Blocking .xml files from being visable in web dubugger programs ie: Fiddler

GISDev1 — Fri, 31 May 2013 18:27:01 GMT

Tim-

Thanks for your response. Yes, this would block those types of files from being displayed in Fiddler for computers I have access to, but not client computers. My goal would be to block the visability of .xml files from everybody thus keeping the tokens truly secure from everyone who had access to the application.

~Matt

You know the client being able to see the Token in the config is no big deal right? The token is tied to either the Referrer IP or the Referrer URL. If an attacker has access to use either of those as a proxy to your ArcGIS Server box, you have a more serious problem on your hands.

Of course you can "hide" the tokens and not even use them in the config by hard-coding them in the source code which gets compiled into the index.swf. (The .swf can certainly be decompiled by the way).

This won't really matter because the token will be seen going over the wire anyways. And like mentioned before, this token is no big deal.