Fixed a Bug in Client REST API

As reported by the open source VI Java API community, a bug came to my attention. It’s related to the Client REST API which is a powerful hack with vSphere MOB based on a little secret. Started in vSphere 4.1 update 1, things started to break if you want to call a method with the REST API while retrieving properties continues to work.

It turns out that for better security (CSRF) a new hidden input field is added into the form for submitting a method call to the server. The hidden field is as follows:

Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.

<input name=”vmware-session-nonce” type=”hidden” value=”52f3d5cc-5664-6d09-cd3a-73869a2de488″>

When submitting back the form, this field must be included as any other parameters. If it’s missing, the server would complain and nothing gets done.

Server returned HTTP response code: 403 for URL: https://<ip>/mob/?moid=<vm>&method=rename

To fix the problem is relatively easy. First, check if there is any hidden field called vmware-session-nonce in the method call page. If non-existing, just do things as before; otherwise move on to second step, which is to include the key and value pair in submission before any other parameters.

If you are interested in knowing more, check out this code here in code repository.

Once again, I would like to emphasize that this REST API is not an official API. At best, it’s a workable hack.

This entry was posted in vSphere API and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.