WinBatch® Technical Support Forum

All Things WinBatch => WinBatch => Topic started by: krasdude on November 15, 2018, 10:34:56 AM

Title: API Call. VBS vs WinBatch
Post by: krasdude on November 15, 2018, 10:34:56 AM
Hello all

Hoping for any suggestions.  I have been asked to look into scripting API calls to Nexpose.  Authentication ... (code just thrown together in a few minutes so please forgive)

Anyway, this VBS script allows me to authenticate and return a session ID .. no issues

  Dim stringXML : stringXML = "<?xml version=""1.0"" encoding=""UTF-8""?><LoginRequest sync-id=""123"" user-id=""<LOGIN ID>"" password=""<PWD>"" />"

  Dim httpRequest : Set httpRequest = CreateObject("MSXML2.ServerXMLHTTP.6.0")
  httpRequest.Open "POST", "https://<LOCAL NEXPOSE SERVER>.com:3780/api/1.1/xml", FALSE
  httpRequest.SetRequestHeader "Content-Type", "text/xml"
  httpRequest.Send stringXML

  If httpRequest.status = 200 Then
     wscript.echo httpRequest.responseText
  Else
     wscript.echo "CRAP"
  End If

  wscript.quit

However, when I try to replicate within WB, it fails to authenticate

  stringXML = '<?xml version="1.0" encoding="UTF-8"?><LoginRequest sync-id="123" user-id="<LOGIN ID>" password="<PWD>" />'

  oHTTP = CreateObject("MSXML2.ServerXMLHTTP.6.0")
  oHttp.open("POST","https://<LOCAL NEXPOSE SERVER>.com:3780/api/1.1/xml",@FALSE)
  oHttp.SetRequestHeader("Content-Type", "text/xml")
  oHttp.Send(stringxml)

  If oHttp.Status == 200
     message("Nexpose Test",oHTTP.responseText)
  Else
     message("Nexpose Test","Returned Status of " : oHTTP.Staus)
  End if

  exit

I get Status code of 200 But the ResponseText (attached) says "Authorization required for API Access"

Any ideas on what I missed?  Running latest WinBatch BTW

Thanks all


Title: Re: API Call. VBS vs WinBatch
Post by: td on November 15, 2018, 10:51:47 AM
The first question is what are "<LOGIN ID>" and "<PWD>"?  Are they just placeholders for whatever your actual id and password or do they have some special meaning to your API?
Title: Re: API Call. VBS vs WinBatch
Post by: krasdude on November 15, 2018, 11:02:28 AM
placeholders, sorry.  actual Nexpose server, Login ID and password in both scripts
Title: Re: API Call. VBS vs WinBatch
Post by: stanl on November 15, 2018, 11:05:13 AM
This may be far-fetched but I read about a user writing a request from Excel and mentioned that instead of using MSXML2.ServerXMLHTTP.6.0 he used MSXML2.XMLHTTP.6.0 - which seemed to work better as the site used cookies. May not apply here but real easy to test.
Title: Re: API Call. VBS vs WinBatch
Post by: krasdude on November 15, 2018, 11:19:07 AM
I tried MSXML2.XMLHTTP.6.0 but the script dies at "oHttp.Send(stringxml)" with a COM/CLR Exception
Title: Re: API Call. VBS vs WinBatch
Post by: td on November 15, 2018, 12:20:46 PM
Assuming that you are not doing something with substitution in your actual script and that you are executing the script form an admin account, the only thing that comes to mind is UAC.  Have no idea why it would make a difference but your VB script is most likely running with the restricted admin token and your WinBatch script is most likely executing with an elevated admin token.    It is a very long shot but you could try changing your scripts file extension from ".wbt" to ".wbt_if" and then try running the ".wbt_if" version.  If it works then, as far-fetched as it may seem,  UAC is the cause.
Title: Re: API Call. VBS vs WinBatch
Post by: krasdude on November 15, 2018, 02:17:51 PM
I found out a different way.  I appreciate everyone's thoughts and ideas.

Thanks again everyone
Title: Re: API Call. VBS vs WinBatch
Post by: td on November 16, 2018, 08:15:51 AM
It would have been interesting to have discovered why your WinBatch script was not working correctly.  Oh well.   The only other thing I could think of is that for some unknown reason the COM Automation object represented by the "MSXML2.ServerXMLHTTP.6.0" moniker is sending a different default user agent when called from WinBatch than when called from VB.  I have no idea if or why that would happen but I do know that using this object with HTTPS protocol URLs can have a user agent problem.  Of course, this particular problem can be corrected by changing the user agent in the header before connecting to the HTTP server. 
Title: Re: API Call. VBS vs WinBatch
Post by: krasdude on November 16, 2018, 08:26:56 AM
If I RTFM, I would have noticed one can encode userid and pwd in Base64, then use basic authorization in header, goes in w/o a hitch.  Plus I moved to Nexpose API version 3.


#DefineFunction udfEncodeBase64(str)
   hexstr = ChrStringToHex(str)
   hBin = BinaryAlloc(StrByteCount( hexstr, 1 ))
   BinaryPokeHex(hBin, 0, hexstr)
   BinaryOleType(hBin, 103, 0,0,0)
   objXML = ObjectCreate('MSXML2.DOMDocument')
   objNode = objXML.createElement("b64")
   objNode.dataType = "bin.base64"
   objNode.nodeTypedValue = hBin
   EncodeBase64 = objNode.Text
   objNode = 0
   objXML = 0
   Return EncodeBase64
#EndFunction

text = '<USERID>:<Password>'
token = udfEncodeBase64(text)

url = "https://nexpose.xxxxx.com:3780/api/3/sites"

oHttp = CreateObject("WinHTTP.WinHTTPRequest.5.1")
oHttp.open("GET",url,@FALSE)

oHttp.SetRequestHeader("Authorization", "Basic %token%")
oHttp.SetRequestHeader("Content-Type", "application/json")
oHttp.SetRequestHeader("cache-control","no-cache")
oHttp.Option(0) = "http_requester/0.1"
oHttp.Option(4) = 13056
oHttp.Option(6) = @FALSE
ohttp.Option(12) = @TRUE
oHttp.send()


Live and learn I guess.  Again, thanks all
Title: Re: API Call. VBS vs WinBatch
Post by: td on November 16, 2018, 02:00:07 PM
Thanks for the information.   I suspect I and perhaps others will find it useful down the road.
Title: Re: API Call. VBS vs WinBatch
Post by: stanl on November 17, 2018, 04:26:02 AM
I agree with Tony and apologize for my rabbit hole.  One question: did moving to the newer Nexpose API require


oHttpoHttp.SetRequestHeader("Content-Type", "application/json")
'instead of





oHttp.SetRequestHeader("Content-Type", "text/xml")
Title: Re: API Call. VBS vs WinBatch
Post by: krasdude on November 17, 2018, 05:16:19 AM
this type of programming is new to me.  People found found I could code and suddenly getting side requests to access OnSpring, Nexpose and BitSight.  So leaning on the fly.

No, Nexpose didn't to my knowledge.  I googled for VB example of Base64 and translated

So, for a GET, changing oHttp.SetRequestHeader("Content-Type", "application/json") to oHttp.SetRequestHeader("Content-Type", "text/xml") does not  seem to matter for Nexpose.  Results are the same and in same format (JSON). 

Now a POST, not sure yet as I haven't gotten that far