Block specific API request system-wide

Question

I'd like to block system-wide the request to the Graph API getting profile images from Graph that is using this url:

https://tasks.office.com/COMPANY.onmicrosoft.com/GraphApiV1/GetUserPhotoAsync

I've tested it with uBlock Origin and it works with this rule:

||tasks.office.com/COMPANY.onmicrosoft.com/GraphApiV1/GetUserPhotoAsync?

The downside is that it works only in a single browser and I cannot block profile images in Teams or other applications.

So I thought I add this address to my ESET's Web & Email block list like shown here, but it doesn't work. The images still load. I've tried various patterns like these:

https://tasks.office.com/COMPANY.onmicrosoft.com/GraphApiV1/GetUserPhotoAsync
https://tasks.office.com/COMPANY.onmicrosoft.com/GraphApiV1/GetUserPhotoAsync?
https://tasks.office.com/COMPANY.onmicrosoft.com/GraphApiV1/GetUserPhotoAsync?*
*.office.com/COMPANY.onmicrosoft.com/GraphApiV1/GetUserPhotoAsync?*

What else can I try?

Answer 1

The only way this could be accomplished is by running a man-in-the-middle attack against the software you’re running. Otherwise, you cannot filter on specific request paths. On an abstract level, you need the following:

• A proxy that can do HTTPS interception (and possibly also the filtering you want)
• A Certificate Authority (CA) that…
  • your software must trust
  • the proxy will use to issue certificates for intercepted connections

Please note that is is security critical your CA private key remain secret. Otherwise, when someone gets this key, you truly are open to MITM attacks.

---

One popular web filtering proxy is Provixy. According to its documentation, it can do HTTPS inspection. The manual describes the following relevant config options:

• ca-directory
• ca-cert-file
• ca-key-file
• ca-password
• certificate-directory
• trusted-cas-file (this is important)

Furthermore, the https-inspection action needs to be enabled for specific sites:

{+https-inspection}
tasks.office.com