This is a migrated thread and some comments may be shown as answers.

Setup Scenario

1 Answer 201 Views
Fiddler Classic
This is a migrated thread and some comments may be shown as answers.
Matt
Top achievements
Rank 1
Matt asked on 13 Oct 2014, 03:26 PM
Hey Guys,

I was just referred to Fiddler by someone who claims to want to use it in a similar way as myself.

What I am looking for is somewhat of a total web-block but with whitelist exception.   Currently in policy we have this implemented via a IE proxy site exclusion list where the proxy defined is a dummy IP / Port.

This seems to work fine for static sites, with no 3rd party XSS or referrer domains...  We are running into a scenario now wherein we are moving to 0365 in the cloud.   I had run a http trace as well as looked up the official MS documentation of all required URL/Domain space to whitelist.   Even just this, and using TLD declarations, the list is pretty long.  Further there seem to be all sorts of other referenced sites and files, which aren't explicitly whitelisted.  All on top of other providers sites which have their own sites they call in the background, which causes issues while waiting for DNS and the fake proxy to timeout.

Rumor has it Fiddler can allow an explicitly whitelisted domain be allowed to also allow traffic / connections to sites that the whitelisted site references...

Is this true??   Can it be used in conjunction with WPAD (which is the model we hope to move to)

Can anyone give me some pointers or info as to where to start??  I suppose by validating or crushing my current understanding.. ;-)

Cheers,

Matt

1 Answer, 1 is accepted

Sort by
0
Eric Lawrence
Telerik team
answered on 13 Oct 2014, 08:56 PM
Hello, Matt--

Fiddler can completely control your browser's use of HTTP and HTTPS, allowing or forbidding sites based on any criteria you can generate based on the request.

Fiddler cannot somehow "magically" allow "references from pages that were themselves whitelisted"-- the closest you could come to that is to look at a request and if it's not to a whitelisted host, you could examine the HTTP Referer header and look to see if it mentions a whitelisted host, and if not, you could even search previous responses from the whitelisted host to see you can find a reference to that URL, but this is an extraordinarily complex problem. 

It's also not clear what problem you'd hope to resolve with a "transitive whitelist" approach, since any given "Office document" could refer to untrusted 3rd party websites that contain malicious or illegal content or whatever.

Regards,
Eric Lawrence
Telerik
 

Check out the Telerik Platform - the only platform that combines a rich set of UI tools with powerful cloud services to develop web, hybrid and native mobile apps.

 
Tags
Fiddler Classic
Asked by
Matt
Top achievements
Rank 1
Answers by
Eric Lawrence
Telerik team
Share this question
or