Rapid7 HTTP Basic Authentication

iVaibhav · August 23, 2022, 10:30am

An HTTP Authentication Attempt for API Access to InsightVM gives error.

url="https://IP:3780/api/3"
username = "USER"
password = "PASSWORD"
apikey="KEY"
debug = {'verbose': sys.stderr}
response  = requests.get(url, headers = header)

gives out

HTTPSConnectionPool(host='HOST', port=3780): Max retries exceeded with url: /api/3 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

If i disable verification in request , the Error Turns into

Could not find a suitable TLS CA certificate bundle, invalid path: b'I00\n'

I cant find a good documentation in Rapid7 for authenticating, It just says use basic authentication.

Any Advise on this please ?

brandon_mcclure · August 23, 2022, 1:43pm

Are you using an internal CA for your cert? It looks like you need to install the cert chain on the box you are running the script. But I can confirm that a Base64 encoded Basic auth header works.

john_hartman · August 23, 2022, 2:03pm

Here is an example for getting all of the sites below. I would suggest using something like Postman to help work through the API. The snippet you have above doesn’t look to be the full code though so I can’t fully understand what may have went wrong.

Our API documentation for the Authentication portion says it needs basic auth of the base64 encoded form of “username:password”

You can use CLI or online converters to convert literally the phrase “username:password” to base64 and then attach it in as shown in my script. Postman and other tools usually do this step for you.

Also keep in mind that my script is also disabling the SSL verification. As @brandon_mcclure mentioned, you can install the cert chain on the box you’re running the script from so that you don’t need to bypass the security warnings.

#!/usr/local/bin/python3

import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


console_url = "Console IP:3780"
base64_cred = "Base 64 of credentials"

url = "https://"+console_url+"/api/3/sites"

payload={}
headers = {
  'Accept': 'application/json;charset=UTF-8',
  'Authorization': 'Basic '+base64_cred
}

response = requests.request("GET", url, headers=headers, data=payload, verify=False)

print(response.text)

iVaibhav · August 23, 2022, 2:05pm

Thanks @john_hartman , I see what I have been doing wrong. base64 encoding was the issue.

All Set now. Thanks !!!

iVaibhav · August 23, 2022, 2:06pm

Yes, Base64 worked. I overlooked that … , Thanks @brandon_mcclure

gcollins · September 29, 2022, 6:42pm

Thank you for sharing this script @john_hartman.

jnavarro · October 5, 2022, 3:32pm

In case you don’t want to deal with b64, the package requests can do that for you, passing the parameter auth:

req = requests.get(url, data=data, auth=(username, password))