Friday, 16 September 2011

SSL Testing with VBS (winhttprequest)

I have a bit of a love/hate relationship with VBS, perhaps because not all of our boxes have PowerShell installed and I'm forced to use VBS a lot of the time for testing web services and an other assorted things.

We have been testing a website that uses client certificate mapping in IIS, see step 8 on this post, with the added twist that we have no other way of authentication, it's client certificates or bust. We are  sort of forced to POST a soap request, as the main method that we are testing, has way too many parameters for a GET request.
In my example script, see below, I'm using a client certificate installed in the user's store, this is more common than a client certificate installed in the Local Computer's store. If this is the case change line 17 to "LOCAL_MACHINE\Personal\1234" or whatever your certificates's name is.

   1 Dim objwinhttp, strURL, strStatus, soap
   2 
   3 soap = "<soap:Envelope xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:SOAP-ENC='http://schemas.xmlsoap.org/soap/encoding/' xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/'>"
   4 soap =  soap + "<soap:Body>"
   5 soap = soap + "<MyMethod xmlns='http://server.dev.com/MyMethod'><Centre>string</Centre>....manymoreparemetershere</MyMethod>
   6 soap = soap + "</soap:Body></soap:Envelope>"            
   7 
   8 strURL = "https://server.dev.com:5555/service.asmx" 
   9 
  10 set objwinhttp = CreateObject("WinHttp.WinHttpRequest.5.1")
  11 
  12 objwinhttp.Open "POST", strURL
  13 objwinhttp.setRequestHeader "Content-type","text/xml; charset=utf-8"
  14 objwinhttp.setRequestHeader "SOAPAction","http://dom.dev.com/MyMethod"
  15 objwinhttp.setRequestHeader "Content-Length",Len(soap)
  16 
  17 objwinhttp.SetClientCertificate "CURRENT_USER\MY\1234"
  18 
  19 objwinhttp.Send(soap)
  20 
  21 wscript.Echo("Response Code: " & objwinhttp.Status & " Response: " & objwinhttp.ResponseText)

No comments:

Post a Comment