Fiddler blocks some HTTPS connections like Dropbox - web-services

I work on a project which make ajax query to a webservice so I use fiddler to see JSON responses.
But I have encounter troubles using Fiddler. When I launch it on my laptop, Dropbox can't synchronize my files anymore but I can debug my ajax requests. The real problem is when I use Fiddler on my desktop computer, all my requests to my WebService are blocked. My WebService runs on localhost.
I don't understand how it works, can you help me?

Dropbox connections don't work because that application uses a feature called "Certificate Pinning" that reject's Fiddler's HTTPS interception certificate. Why this happens is discussed in the Fiddler book, but you can configure Fiddler not to decrypt dropbox.exe's connections which resolves the issue.
To avoid blocking DropBox App traffic while Fiddler is running, you can use Tools > Fiddler Options > HTTPS to either only decrypt Browser traffic or you can configure Fiddler not to decrypt traffic to *.dropbox.com.
The issue with your "WebService" is almost certainly completely unrelated. You need to be far more specific for anyone to help: What is the client? What is the service written in? What do you see in Fiddler when this happens?

Related

Websockets not working with Powerpoint Add-in

I'm using a Microsoft add-in for Powerpoint called 'Web Viewer' (it's just an iframe, you insert a URL, it displays it in the slide).
I inserted a webpage that uses Socket.IO, and I'm seeing it is not able to connect to the server (even the long polling it's falling back on is not working).
Clearly this is not an issue with the add-in: Any ideas what is going on here?
I tested on Mac 10.13.4 (latest) / Powerpoint (16.12, Office 365 Home) (latest).
The same webpage works in an iframe in the latest Chrome, Firefox, Safari, IE11, so I'm thinking something wonky is going on with the embedded (Webkit) browser that Powerpoint is using on Mac.
The general request flow is:
Browser -> AWS ALB (with stickiness enabled) -> Nginx -> Node
UPDATE
Looked into this further, and having tested other pages that use Socket.IO, I think the only difference in their setups and here is the ALB.
Even with stickiness enabled, the load balancer is clearly seen (in the logs) passing traffic between all EC2s. This leads me to believe the cookie they use is either not being set or not being passed with the requests.
First of all, based on this github issue it should be possible to open a websocket.
There might be a problem with using the unsecure ws://. I know that officejs rejects all requests to http:// and forces you to use https:// with a secure certificate. So they might do the same with WebSockets and force you to use wss:// with a valid certificate.
You can test this more easily in Power Point Online with Chrome. The addin is the same but you get much better error logging in the Devtools Console (hit F12). If it's asecurity issue there should be an error message indicating it.
I had the same issue and S.Freederle is correct. Now I'm able to use socket.io via ngrok to create a secure tunnel (HttpS) to connect to my server and emit the data to my client side in office add-in.

Duplicate Soap Requests

We are upgrading from 10.0 to 10.3.6. Our web app is running in a DMZ and uses .jar files created with clientgen to invoke JAX-RPC web service operations deployed on our internal network by going through an XML firewall. My problem is that the XML firewall is behaving as though the HTTP request to invoke the web service operation was sent twice, when as near as I can tell it was only sent once. I set the following properties to view the soap traffic:
-Dweblogic.wsee.verbose=*
-Dweblogic.log.RedirectStdoutToServerLogEnabled=true
Unfortunately I don't have access to the XML firewall but I have been able to get the log entires for my service endpoints. I can see that it reports receiving duplicate requests but for the life of me I don't know how this can be happening. This does not happen when the web service clients are running on version 10.0.
I've tried everything I can think of to troubleshoot this problem. I'm hoping somebody here can offer up some suggestions or perhaps tell me if this is a known issue.
You could use TCP Monitor to intercept the SOAP traffic between your server and the firewall.
This way you can tell if the requests are being sent twice or if there is some internal issue with the firewall.
Also, after you intercept the requests, you can use again TCP Monitor or SOAP UI to re-send the request to emulate the webserver and debug the firewall.

AS3 flash can't make calls to http or https webservice on a facebook app

I have an iframe facebook application with a problem i am not able to solve, because i can't understand the source of it.
On the iframe there is a flash movie (in AS3) that makes https calls to a webservice (it basically calls an https address and waits for an xml response).
It is fine on 90% of the cases, but some clients are not able to run any calls and i can't understand why.
They install the app, load the flash movie, but it seems there is something that stops the flash from calling the https address.
Can you think of any reason?
An antivirus? a strict security setup on the browser?
Thanks for the help!
Loading XML files in Flash over an SSL Connection in Internet Explorer fails if the Pragma:no-cache or Cache-control:no-cache HTTP headers are set on the XML file.
Here is a helpful blog post about this: http://www.blog.lessrain.com/flash-loading-and-browser-cache-test-suite/

How can I get Fiddler to display information about a web service request made from my ASP.NET code behind?

I have an ASPX page. When the page is loaded there is code in the code behind that uses an API. The API makes an HTTPS call out to a third party, commercial web service. I am trying to troubleshoot why the API calls are not working properly. Apparently the API actually constructs an XML request that is sent out over HTTPS to the web service. I've been told by the support rep that I need to provide them with the XML that is being sent. The only way I can figure out how to get the XML is to use a tool like Fiddler to see what is being sent out. So how can I use Fiddler to see the contents of the XML request that is being sent from the server out to the web service? I am running everything directly on the server but all I am seeing is the GET request for the ASPX file itself. I am not seeing anything in relation to the HTTPS request that the server code is sending out to the web service. I have not used Fiddler much so I am hoping that maybe I just don't have it set up right to monitor that traffic.
Corey
After mucking around with it a bit I found this post: Why isn't fiddler capturing request when invoking XMLRPC from iis?. That seemed to do the trick! Basically it sounds like the default proxy settings in Win7 are on a per user basis. So I went in and changed the identity of the AppPool for my site to a local user (Administrator) and then it worked great. I started up Fiddler. Then I started up my ASP.NET app and then when I loaded the page I saw the request that went out to the web service from my code behind! Yay!

How to use HTTPS with HttpReceiveHttpRequest()?

I'm using the Windows HTTP API to process web service requests in C++ (not .NET) and everything works just fine for HTTP requests. When I change the URLs I'm expecting with HttpAddUrl to https://example.com:443/foo/bar my tests from Internet Explorer no longer connect. My code does not get called at all and the calls to HttpReceiveHttpRequest don't complete when an HTTPS request comes in.
I created a certificate authority for myself and it is visible inside IE but I can't figure out what to do next.
What do I need to configure to make HTTP.SYS call my code when an HTTPS request comes in?
You'll need to install the SSL cert in the machine store (mmc.exe, add Certificates snap-in, manage the Computer account, import the cert). Then have a go with httpconfig- it's a GUI version of httpcfg/netsh http that's much easier. I have this tool on every server I maintain that has SSL certs. Once that's configured, your SSL server registration should route correctly.