Community
Select to view content in your preferred language

Blocking .xml files from being visable in web dubugger programs ie: Fiddler

1158
5
Jump to solution
05-22-2013 12:17 PM
MattPohl
by
Frequent Contributor
‎05-22-2013 12:17 PM
I am curious if there is any way to block the visibility of .xml files when tracking web traffic in programs such as Fiddler. Attached is a screen shot showing the situation. For instance, I can see the config.xml file for my application in Fiddler which can than be opened. Once opened, the tokens used to pass the secure services through the FlexViewer become visible. I am not using a reverse proxy setup, but not sure if that would resolve the issue. Any thoughts would be greatly appreciated.

Matt
Tags (2)
Preview file
139 KB
0 Kudos
1 Solution

Accepted Solutions
BjornSvensson
by Esri Regular Contributor
Esri Regular Contributor
‎05-29-2013 12:26 PM
My goal would be to block the visability of .xml files from everybody thus keeping the tokens truly secure from everyone who had access to the application.

That's not possible.  If the "application" can see it, then Fiddler etc can see it.

View solution in original post

0 Kudos
5 Replies
TimDine
by
Frequent Contributor
‎05-28-2013 04:24 AM
Fiddler can accept regular expressions in it's filter tab.  Check the "Show only if URL contains" check box.  Enter an expression like "REGEX:(?insx).*[^(css|png|xml)]$" in the text box without quotes. This expression would hide css, png, and xml files. 

http://fiddler2.com/documentation/KnowledgeBase/Filters
0 Kudos
MattPohl
by
Frequent Contributor
‎05-28-2013 04:38 AM
Tim-

Thanks for your response. Yes, this would block those types of files from being displayed in Fiddler for computers I have access to, but not client computers. My goal would be to block the visability of .xml files from everybody thus keeping the tokens truly secure from everyone who had access to the application.

~Matt
0 Kudos
BjornSvensson
by Esri Regular Contributor
Esri Regular Contributor
‎05-29-2013 12:26 PM
My goal would be to block the visability of .xml files from everybody thus keeping the tokens truly secure from everyone who had access to the application.

That's not possible.  If the "application" can see it, then Fiddler etc can see it.
0 Kudos
MattPohl
by
Frequent Contributor
‎05-29-2013 12:34 PM
Thanks Bjorn, this was my assumption but thought I would ask anyway.

~Matt
0 Kudos
GISDev1
by
Deactivated User
‎05-31-2013 11:27 AM
Tim-

Thanks for your response. Yes, this would block those types of files from being displayed in Fiddler for computers I have access to, but not client computers. My goal would be to block the visability of .xml files from everybody thus keeping the tokens truly secure from everyone who had access to the application.

~Matt


You know the client being able to see the Token in the config is no big deal right? The token is tied to either the Referrer IP or the Referrer URL. If an attacker has access to use either of those as a proxy to your ArcGIS Server box, you have a more serious problem on your hands.

Of course you can "hide" the tokens and not even use them in the config by hard-coding them in the source code which gets compiled into the index.swf. (The .swf can certainly be decompiled by the way).

This won't really matter because the token will be seen going over the wire anyways. And like mentioned before, this token is no big deal.
0 Kudos