Use PowerShell to Keep a CookieJar and POST to a Web Form That Prohibits XSS

I recently had a project that required I log into a site and submit a form. Initially, I had a Start-Process that launched iexplore but then I decided it would be best to..

My initial attempts to automate this process failed with the server response “403 Forbidden.” As it turns out, the web server which is some modified version of jetty (I believe) was hardened to prevent XSS attacks. I knew that I had to use cookies, but doing so in PowerShell turned out to be a bit more challenging than it was in VBScript.

I like this script because it covers a lot of ground, from bypassing the SSL warning, to getting credentials to submitting a form. It took about a day to figure out, but ultimately, I was able to:

  1. Authenticate using BASIC authentication
  2. Bypass SSL warnings
  3. Keep cookies
  4. Submit the information from a hidden field in the form

There are additional steps in between each of those, which include

  • Prompting for the website credentials
  • Associating those credentials to the website
  • Placing cookies in the cookie jar
  • Parsing the form for the information I needed
  • Passing back the information

Essentially, I create a web request using System.Net.HTTPWebRequest (using webclient proved too messy), create a response stream, “upload” the data as bytes, get the second response. You can modify this to submit other portions of a form, or just parse from page to page. Hope you find it useful!

Thanks to Captain Abstraction for breaking this whole down and making it way easier to understand than most of the webpages I visited.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, and holds a number of certifications, including those relating to SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in PowerShell

Leave a Reply

Your email address will not be published. Required fields are marked *

*