Consuming Hidden WCF RIA Services

A Silverlight application made it to my desk yesterday, an application that consumed a remote WCF RIA service running on a Microsoft IIS. The service did not provide a public API, nor did disassembly with dotPeek help get the service manifests to construct a WCF client with. WSDL files weren’t exposed either. A new, custom client was to be written by reverse engineering what was available without any fancy configurations.

Consuming Hidden WCF RIA Services

A bit of Wiresharking around and the protocol details became exposed for some low-level replication. The payloads were encoded, and the Content-Type> header hinted at application/msbin1, which made it pretty clear that it was in .NET Binary Format. Decoding was simple by switching to Fiddler and a WCF Binary Inspector. Having retrieved the payloads sending binary to the private service was quite straight-forward in C#.

...

using System.Xml;
using System.Net;

...

/* Write .NET Binary XML */
System.IO.Stream s = new System.IO.MemoryStream();           
XmlWriter binarywriter = XmlDictionaryWriter.CreateBinaryWriter(s);

binarywriter.WriteStartElement("Action1", "https://tempuri.org/");
...
binarywriter.Flush();

s.Seek(0, System.IO.SeekOrigin.Begin);
byte[] b = new byte[s.Length];
s.Read(b, 0, (int)s.Length);

HttpWebRequest request = (HttpWebRequest)WebRequest.Create("hidden.svc/binary/Action1");
request.Method = "POST";
request.ContentType = "application/msbin1";
request.GetRequestStream().Write(b, 0, b.Length);
HttpWebResponse response = (HttpWebResponse)request.GetResponse();

/* Read .NET XML */
b = new byte[response.ContentLength];
response.GetResponseStream().Read(b, 0, b.Length);

XmlReader binaryreader = XmlDictionaryReader.CreateBinaryReader(b, XmlDictionaryReaderQuotas.Max);
XmlDocument xdoc = new XmlDocument();
xdoc.Load(binaryreader);
...

Needs the System, System.Net, System.Runtime.Serialization and System.XML assemblies.

To consume hidden WCF RIA services on other platforms check out xml2wcf.py