0

I need to login a https website via httprequest.

I am trying to use the code from this post VBA WinHTTP to download file from password proteced https website

but i only get that answer: "User not found" - but I know the user and password works fine when I login manually.

My main doubt is where the parameters in the string strAuthenticate came from?

And also why I can not see any http header with the "authorization" word in it or with my username/password in it when i use a http sniffer program.

The website is a form-base authentication type. Is there a way (or should I) inform in my code any reference to the HTML textboxes objects for username and password?(And in this case how could I do it?)

Sub SaveFileFromURL()

    Dim WHTTP As WinHttp.WinHttpRequest
    Set WHTTP = New WinHttpRequest

    mainUrl = "https://www.somesite.com.br/Login.php"    

    myuser = "userA"
    mypass = "passuserA"

    strAuthenticate = "start-url=%2F&user=" & myuser & "&password=" & mypass & "&switch=Log+In"

    WHTTP.Open "POST", mainUrl, False
    WHTTP.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    WHTTP.SetRequestHeader "Authorization", "Basic " & EncodeBase64(StrConv(    myuser & ":" & mypass, vbFromUnicode))
    WHTTP.Send
End Sub
Mikku
  • 6,538
  • 3
  • 15
  • 38
naguall
  • 43
  • 1
  • 8
  • First you should test to find out **exactly** what is being sent in the username... Try sending it to notepad and check that there are no odd characters etc being added. – Solar Mike Aug 10 '19 at 07:05
  • You create the variable `strAuthenticate`, but don't send it to the server. Have you tried changing the line `WHTTP.Send` to something like `WHTTP.Send strAuthenticate`? Also, any URL unsafe characters in your username and password might need to be URL encoded (when creating `strAuthenticate`). You can achieve this with `Application.EncodeURL`. If you share the log-in URL (where the log-in form is), it might easier to see what information is POSTed and to what URL/endpoint. – chillin Aug 11 '19 at 16:45
  • @SolarMike How could I send this to notepad? I have some experience with VBA, but is not with the WHTTP object. Can I send a HTTPREQUEST to the notepad? – naguall Aug 11 '19 at 20:56
  • @chillin You are right, I didn't use the strAuthenticate in the code I posted. But I had already tried to send it with this "'WHTTP.Send strAuthenticate" and I got the same result. Unfortunally I can't expose the real URL. – naguall Aug 11 '19 at 21:03
  • @naguall You may need to do `strAuthenticate = "start-url=%2F&user=" & Application.EncodeURL(myuser) & "&password=" & Application.EncodeURL(mypass) & "&switch=Log+In"`, then `WHTTP.Send strAuthenticate`, and remove the Authorization header from the code. I would then use a traffic analyser to compare the request you're sending with Excel with the request sent when logging in via browser. Compare the HTTP status code of the response, the data sent, the URL the data is sent to, anything else. Try to spot any differences and address them. – chillin Aug 12 '19 at 05:52

1 Answers1

1

Thanks very much for all the help. Turns out the key for find the answer was to use the right tools. As @chillin recommended using a traffic analyser was essential. I was trying to get the HTTP headers with "Live HTTP Headers" chrome extension, but that only gives my information about tha manual authentication process and even then INCOMPLETE information.

So I downloaded "WireShark" and try to sniff the HTTP traffic, but I couldn't since it was encrypted. Then I did some research and found this way of workaround the encryption:

https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/

After this step-by-step guide and apliccate an http packets filter (just write http in the wireshark filter textbox) I was able to sniff the HTTP traffic (the one I generate when I log in manually to the website and the one generated via excel(vba) HTTPREQUEST.

After this everything got easier and I end up with the code below:

Sub HTTPRESQUEST()
'https://stackoverflow.com/questions/22051960/vba-winhttp-to-download-file-from-password-proteced-https-website/
'https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/
'https://wiki.wireshark.org/TLS?action=show&redirect=SSL
'https://wiki.wireshark.org/TLS#Using_the_.28Pre.29-Master-Secret

Dim WHTTP As WinHttp.WinHttpRequest
Set WHTTP = New WinHttpRequest

'Logon page:
mainUrl = "https://www.somewebsite/Logar.php"

myuser = "myuser"
mypass = "mypassword"

strAuthenticate = "username=" & myuser & "&bypass=" & mypass

WHTTP.Open "POST", mainUrl, False
WHTTP.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
WHTTP.Send strAuthenticate

End Sub

That was enough to do the website log in. No need to encode the username and password.

PS: In the strAuthenticate the "username" and the "bypass" are the HTML objects ids for the username textbox and the password textbox.

I hope this answear can help other people. Thanks again for all the help!

naguall
  • 43
  • 1
  • 8