How to Pass Authentication Credentials in Vba

How to pass login and password via POST VBA Httprequest?

Thanks very much for all the help. Turns out the key for find the answer was to use the right tools.
As @chillin recommended using a traffic analyser was essential. I was trying to get the HTTP headers with "Live HTTP Headers" chrome extension, but that only gives my information about tha manual authentication process and even then INCOMPLETE information.

So I downloaded "WireShark" and try to sniff the HTTP traffic, but I couldn't since it was encrypted. Then I did some research and found this way of workaround the encryption:

https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/

After this step-by-step guide and apliccate an http packets filter (just write http in the wireshark filter textbox) I was able to sniff the HTTP traffic (the one I generate when I log in manually to the website and the one generated via excel(vba) HTTPREQUEST.

After this everything got easier and I end up with the code below:

Sub HTTPRESQUEST()
'https://stackoverflow.com/questions/22051960/vba-winhttp-to-download-file-from-password-proteced-https-website/
'https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/
'https://wiki.wireshark.org/TLS?action=show&redirect=SSL
'https://wiki.wireshark.org/TLS#Using_the_.28Pre.29-Master-Secret

Dim WHTTP As WinHttp.WinHttpRequest
Set WHTTP = New WinHttpRequest

'Logon page:
mainUrl = "https://www.somewebsite/Logar.php"

myuser = "myuser"
mypass = "mypassword"

strAuthenticate = "username=" & myuser & "&bypass=" & mypass

WHTTP.Open "POST", mainUrl, False
WHTTP.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
WHTTP.Send strAuthenticate

End Sub

That was enough to do the website log in. No need to encode the username and password.

PS: In the strAuthenticate the "username" and the "bypass" are the HTML objects ids for the username textbox and the password textbox.

I hope this answear can help other people. Thanks again for all the help!

VBA XMLHTTP clear authentication?

These questions have been discussed in many ways due to major browsers different implementations of caching methods.

I will give you what worked for me and then the sources I found on this feature.

The only solution I could came across was to force the browser to not cache the request.

myURL = "http://my.domain.com/myscript.cgi"
Dim oHttp As New MSXML2.XMLHTTP
oHttp.Open "POST", myURL, False
oHttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded'"
oHttp.setRequestHeader("Cache-Control", "no-cache");
oHttp.setRequestHeader("Pragma", "no-cache");
oHttp.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
oHttp.setRequestHeader "Authorization","Basic " & Base64EncodedUsernamePassword
oHttp.send "PostArg1=PostArg1Value"
Result = oHttp.responseText

It seems that Cache-Control works on most browsers and Pragma only on Firefox and not IE (don't know why...)

If-Modified-Since is used for IE, since IE uses different settings in his own algorithm to determine whether or not the request should be cached. XMLHttpRequest seem to not be treated as the same as HTTP responses.

Careful : With this code you will need username and password each time a new object is created. Maybe you should create a new object, instantiate it once and then destroy it after use. In between you would have all your requests handled in different functions with only one authentication.

Sources

MSDN setRequestHeader Method

MSDN IXMLHTTPRequest

XMLHTTPREQUEST CACHING TESTS

XMLHttpRequest and Caching

Related Topics