Home > vSphere API > Fixed a Bug in Client REST API

Fixed a Bug in Client REST API

September 6th, 2011 Leave a comment Go to comments

As reported by the open source VI Java API community, a bug came to my attention. It’s related to the Client REST API which is a powerful hack with vSphere MOB based on a little secret. Started in vSphere 4.1 update 1, things started to break if you want to call a method with the REST API while retrieving properties continues to work.

It turns out that for better security (CSRF) a new hidden input field is added into the form for submitting a method call to the server. The hidden field is as follows:

Time to learn how to "Google" and manage your VMware and clouds in a fast and secure


<input name=”vmware-session-nonce” type=”hidden” value=”52f3d5cc-5664-6d09-cd3a-73869a2de488″>

When submitting back the form, this field must be included as any other parameters. If it’s missing, the server would complain and nothing gets done.

Server returned HTTP response code: 403 for URL: https://<ip>/mob/?moid=<vm>&method=rename

To fix the problem is relatively easy. First, check if there is any hidden field called vmware-session-nonce in the method call page. If non-existing, just do things as before; otherwise move on to second step, which is to include the key and value pair in submission before any other parameters.

If you are interested in knowing more, check out this code here in code repository.

Once again, I would like to emphasize that this REST API is not an official API. At best, it’s a workable hack.

Categories: vSphere API Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.