Search code examples
excelvbaauthenticationhttprequest

How to pass login and password via POST VBA Httprequest?

I need to login a https website via httprequest.

I am trying to use the code from this post VBA WinHTTP to download file from password proteced https website

but i only get that answer: "User not found" - but I know the user and password works fine when I login manually.

My main doubt is where the parameters in the string strAuthenticate came from?

And also why I can not see any http header with the "authorization" word in it or with my username/password in it when i use a http sniffer program.

The website is a form-base authentication type. Is there a way (or should I) inform in my code any reference to the HTML textboxes objects for username and password?(And in this case how could I do it?)

Sub SaveFileFromURL()

    Dim WHTTP As WinHttp.WinHttpRequest
    Set WHTTP = New WinHttpRequest

    mainUrl = "https://www.somesite.com.br/Login.php"    

    myuser = "userA"
    mypass = "passuserA"

    strAuthenticate = "start-url=%2F&user=" & myuser & "&password=" & mypass & "&switch=Log+In"

    WHTTP.Open "POST", mainUrl, False
    WHTTP.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    WHTTP.SetRequestHeader "Authorization", "Basic " & EncodeBase64(StrConv(    myuser & ":" & mypass, vbFromUnicode))
    WHTTP.Send
End Sub
Solution

  • Thanks very much for all the help. Turns out the key for find the answer was to use the right tools.

    As @chillin recommended using a traffic analyzer was essential. I was trying to get the HTTP headers with "Live HTTP Headers" Chrome extension, but that only gives my information about the manual authentication process and even then INCOMPLETE information.

    So I downloaded "WireShark" and try to sniff the HTTP traffic, but I couldn't since it was encrypted. Then I did some research and found this way of workaround the encryption:

    https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/

    After this step-by-step guide and applying an http packets filter (just write http in the wireshark filter textbox) I was able to sniff the HTTP traffic (the one I generate when I log in manually to the website and the one generated via Excel(vba) HTTPREQUEST.

    After this everything got easier and I end up with the code below:

    Sub HTTPRESQUEST()
'https://stackoverflow.com/questions/22051960/vba-winhttp-to-download-file-from-password-proteced-https-website/
'https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/
'https://wiki.wireshark.org/TLS?action=show&redirect=SSL
'https://wiki.wireshark.org/TLS#Using_the_.28Pre.29-Master-Secret

Dim WHTTP As WinHttp.WinHttpRequest
Set WHTTP = New WinHttpRequest

'Logon page:
mainUrl = "https://www.somewebsite/Logar.php"

myuser = "myuser"
mypass = "mypassword"

strAuthenticate = "username=" & myuser & "&bypass=" & mypass

WHTTP.Open "POST", mainUrl, False
WHTTP.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
WHTTP.Send strAuthenticate
 
End Sub

    That was enough to do the website log in. No need to encode the username and password.

    PS: In the strAuthenticate the "username" and the "bypass" are the HTML objects ids for the username textbox and the password textbox.

    I hope this answer can help other people. Thanks again for all the help!