API Call. VBS vs WinBatch

Started by krasdude, November 15, 2018, 10:34:56 AM

Previous topic - Next topic

krasdude

Hello all

Hoping for any suggestions.  I have been asked to look into scripting API calls to Nexpose.  Authentication ... (code just thrown together in a few minutes so please forgive)

Anyway, this VBS script allows me to authenticate and return a session ID .. no issues

  Dim stringXML : stringXML = "<?xml version=""1.0"" encoding=""UTF-8""?><LoginRequest sync-id=""123"" user-id=""<LOGIN ID>"" password=""<PWD>"" />"

  Dim httpRequest : Set httpRequest = CreateObject("MSXML2.ServerXMLHTTP.6.0")
  httpRequest.Open "POST", "https://<LOCAL NEXPOSE SERVER>.com:3780/api/1.1/xml", FALSE
  httpRequest.SetRequestHeader "Content-Type", "text/xml"
  httpRequest.Send stringXML

  If httpRequest.status = 200 Then
     wscript.echo httpRequest.responseText
  Else
     wscript.echo "CRAP"
  End If

  wscript.quit

However, when I try to replicate within WB, it fails to authenticate

  stringXML = '<?xml version="1.0" encoding="UTF-8"?><LoginRequest sync-id="123" user-id="<LOGIN ID>" password="<PWD>" />'

  oHTTP = CreateObject("MSXML2.ServerXMLHTTP.6.0")
  oHttp.open("POST","https://<LOCAL NEXPOSE SERVER>.com:3780/api/1.1/xml",@FALSE)
  oHttp.SetRequestHeader("Content-Type", "text/xml")
  oHttp.Send(stringxml)

  If oHttp.Status == 200
     message("Nexpose Test",oHTTP.responseText)
  Else
     message("Nexpose Test","Returned Status of " : oHTTP.Staus)
  End if

  exit

I get Status code of 200 But the ResponseText (attached) says "Authorization required for API Access"

Any ideas on what I missed?  Running latest WinBatch BTW

Thanks all



td

The first question is what are "<LOGIN ID>" and "<PWD>"?  Are they just placeholders for whatever your actual id and password or do they have some special meaning to your API?
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

krasdude

placeholders, sorry.  actual Nexpose server, Login ID and password in both scripts

stanl

This may be far-fetched but I read about a user writing a request from Excel and mentioned that instead of using MSXML2.ServerXMLHTTP.6.0 he used MSXML2.XMLHTTP.6.0 - which seemed to work better as the site used cookies. May not apply here but real easy to test.

krasdude

I tried MSXML2.XMLHTTP.6.0 but the script dies at "oHttp.Send(stringxml)" with a COM/CLR Exception

td

Assuming that you are not doing something with substitution in your actual script and that you are executing the script form an admin account, the only thing that comes to mind is UAC.  Have no idea why it would make a difference but your VB script is most likely running with the restricted admin token and your WinBatch script is most likely executing with an elevated admin token.    It is a very long shot but you could try changing your scripts file extension from ".wbt" to ".wbt_if" and then try running the ".wbt_if" version.  If it works then, as far-fetched as it may seem,  UAC is the cause.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

krasdude

I found out a different way.  I appreciate everyone's thoughts and ideas.

Thanks again everyone

td

It would have been interesting to have discovered why your WinBatch script was not working correctly.  Oh well.   The only other thing I could think of is that for some unknown reason the COM Automation object represented by the "MSXML2.ServerXMLHTTP.6.0" moniker is sending a different default user agent when called from WinBatch than when called from VB.  I have no idea if or why that would happen but I do know that using this object with HTTPS protocol URLs can have a user agent problem.  Of course, this particular problem can be corrected by changing the user agent in the header before connecting to the HTTP server. 
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

krasdude

If I RTFM, I would have noticed one can encode userid and pwd in Base64, then use basic authorization in header, goes in w/o a hitch.  Plus I moved to Nexpose API version 3.


#DefineFunction udfEncodeBase64(str)
   hexstr = ChrStringToHex(str)
   hBin = BinaryAlloc(StrByteCount( hexstr, 1 ))
   BinaryPokeHex(hBin, 0, hexstr)
   BinaryOleType(hBin, 103, 0,0,0)
   objXML = ObjectCreate('MSXML2.DOMDocument')
   objNode = objXML.createElement("b64")
   objNode.dataType = "bin.base64"
   objNode.nodeTypedValue = hBin
   EncodeBase64 = objNode.Text
   objNode = 0
   objXML = 0
   Return EncodeBase64
#EndFunction

text = '<USERID>:<Password>'
token = udfEncodeBase64(text)

url = "https://nexpose.xxxxx.com:3780/api/3/sites"

oHttp = CreateObject("WinHTTP.WinHTTPRequest.5.1")
oHttp.open("GET",url,@FALSE)

oHttp.SetRequestHeader("Authorization", "Basic %token%")
oHttp.SetRequestHeader("Content-Type", "application/json")
oHttp.SetRequestHeader("cache-control","no-cache")
oHttp.Option(0) = "http_requester/0.1"
oHttp.Option(4) = 13056
oHttp.Option(6) = @FALSE
ohttp.Option(12) = @TRUE
oHttp.send()


Live and learn I guess.  Again, thanks all

td

Thanks for the information.   I suspect I and perhaps others will find it useful down the road.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

stanl

I agree with Tony and apologize for my rabbit hole.  One question: did moving to the newer Nexpose API require


oHttpoHttp.SetRequestHeader("Content-Type", "application/json")
'instead of





oHttp.SetRequestHeader("Content-Type", "text/xml")

krasdude

this type of programming is new to me.  People found found I could code and suddenly getting side requests to access OnSpring, Nexpose and BitSight.  So leaning on the fly.

No, Nexpose didn't to my knowledge.  I googled for VB example of Base64 and translated

So, for a GET, changing oHttp.SetRequestHeader("Content-Type", "application/json") to oHttp.SetRequestHeader("Content-Type", "text/xml") does not  seem to matter for Nexpose.  Results are the same and in same format (JSON). 

Now a POST, not sure yet as I haven't gotten that far