Invoke-Webrequest with UseBasicParsing fails to pass SecureString password

Question

I am trying to upload a file [path] to [uri] with Invoke-WebRequest with the following:

$Uri = [uri]
$Body = @{
    username  = $Credentials.UserName
    password   = $Credentials.Password
    file = Get-Item -Path [path]
}
Invoke-WebRequest -Uri $Uri -Method 'POST' -Body $Body -UseBasicParsing

(As I'm stuck with Powershell 5.1 I include -UseBasicParsing).

This leads to a failed login response, and inspecting the server response, I see that it interprets the password string as "System.Security.SecureString" instead of the actual password.

I assume that this happens because -UseBasicParsing changes how SecureString objects are passed? I am a complete novice in Powershell and HTTP and so would greatly appreciate any suggestions for workarounds that don't compromise on security, and/or any explanations for why this happens.

WaitingForGuacamole · Accepted Answer · 2021-02-24T12:50:34.220

0

You can try decoding the password inline, like this:

$Uri = [uri]
$Body = @{
    username  = $Credentials.UserName
    password   = ($Credentials.Password.GetNetworkCredential().Password)
    file = Get-Item -Path [path]
}
Invoke-WebRequest -Uri $Uri -Method 'POST' -Body $Body -UseBasicParsing

and here's the result:

edited Feb 24 '21 at 12:50

answered Feb 23 '21 at 18:07

WaitingForGuacamole

3,744
1
8
22

Thanks! AsPlainText is not supported in Powershell 5.1 but here is an alternative way of decoding: [link](https://stackoverflow.com/a/60010688/15268760) Sorry for the basic follow-up question but does such inline decoding defeat the point of SecureString or is the password still protected due to HTTP encryption? – elli Feb 23 '21 at 18:29
An inline decode would expose the credential only to the current Powershell session, as your web request has the credential in the body, you are presumably using HTTPS, and therefore the credential would be encrypted and not exposed in the URL. Also, edited my answer to include something that should work in PS 5.1. – WaitingForGuacamole Feb 23 '21 at 18:45
1

Thanks again for the response. FYI the edited answer leads to a password string of "System.Security.SecureString", but I'm happy with the general solution of decoding in powershell – elli Feb 24 '21 at 09:46
I added screenshots to illustrate what I did, in the hope this will help you solve the problem. – WaitingForGuacamole Feb 24 '21 at 12:51

Invoke-Webrequest with UseBasicParsing fails to pass SecureString password

1 Answers1