C++

Forum

 
WinInet HTTPS Post Request?

FlipFloppe (5)
I need to send data with POST method to a php page. The site has SSL (Let's Encrypt)


Here's my code for HTTP Request



1
2
3
4
5
6
 

 LPVOID myMessage = (LPVOID)postData.c_str();
    HINTERNET hInternet = InternetOpenA("Mozilla/5.0", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
    HINTERNET hConnection = InternetConnectA(hInternet, "website.com", 80, " ", " ", INTERNET_SERVICE_HTTP, 0, 1);
    HINTERNET hRequest = HttpOpenRequestA(hConnection, "POST", "/handler.php", NULL, NULL, NULL, 0, 1);
    HttpSendRequestA(hRequest, headers, strlen(headers), myMessage, postData.length());


however it turns out, that I can't send HTTP request to a HTTPS website. Can I use WinInet (HttpSendRequestA) for HTTPS POST request? And/Or what is needed for HTTPS request?
kigar64551 (784)
Try connecting to port #443 (HTTPS) instead of port #80 (HTTP).

Also try adding the flag INTERNET_FLAG_SECURE to the HttpOpenRequest() invocation.

[EDIT]

Set lpszUserName and lpszPassword to NULL instead of a single space character, if no credentials are needed.

BTW: It doesn't matter which authority (Let's Encrypt or whatever) the server got its certificate from. But it does matter which version of SSL/TLS the server supports. SSL, up to and including version 3.0, is dead these days, because it has severe security issues. TLS version 1.0 and 1.1 have some flaws too. Most servers only support TLS 1.2 and TLS 1.3 nowadays. You need an up-to-date version of Windows, if you want to connect to such servers. In older versions of Windows, WinINet (SChannel) didn't support newer TLS versions!
Last edited on
FlipFloppe (5)
that worked, thanks!

But I still got one issue. I can see the Post data through wireshark, and shouldn't the HTTPS mean that it would be encrypted?
kigar64551 (784)
WireShark can decrypt the HTTPS traffic, but this requires a special setup and it requires the server's secret key. Unless you set up WireShark specifically to decrypt the HTTPS traffic, it definitely should not be able show the POST data (nor the request path and query string, or the server's response) in plain text!

https://wiki.wireshark.org/TLS#TLS_Decryption


Post your complete WireShark dump, if you want more help...
Last edited on
FlipFloppe (5)
HTTP Debugger seems to be able to do that. Should it not?
Last edited on
kigar64551 (784)
HTTP Debugger seems to be able to do that. Should it not?

Do what?
FlipFloppe (5)
I sent the Post request, and it shows the data I'm trying to send to my php page. Http Debugger reveals the post data.
Last edited on
kigar64551 (784)
Which "Http Debugger" you are referring to? It's not clear to me.

Before you were talking about WireShark. And, to the best of my knowledge, WireShark shows the data that goes over the network. This definitely should be encrypted for HTTPS.

As mentioned before, WireShark has the ability to decrypt TLS traffic, if it was set up to do that. See the Wiki link I posted above for details on how this works. Unless you did set up WireShark to decrypt TLS, it should not be able to decrypt your HTTPS traffic. If you see your traffic in plaintext anyway, then you should be concerned!
Last edited on
FlipFloppe (5)
Hey, I did a mistake. Wireshark did not show the plain text or anything, but HTTP Debugger still does. Guess I'll need to find a way to encrypt the data and decrypt it from my website.


Im referring to this - > https://www.httpdebugger.com
kigar64551 (784)
I'm not sure, but it's possible that "HTTP Debugger" intercepts the HTTP traffic before the encryption layer.
Last edited on
Topic archived. No new replies allowed.