Consuming Hidden WCF RIA Services
A Silverlight application made it to my desk yesterday, an application that consumed a remote WCF RIA service running on a Microsoft IIS. The service did not provide a public API, nor did disassembly with dotPeek help get the service manifests to construct a WCF client with. WSDL files weren’t exposed either. A new, custom client was to be written by reverse engineering what was available without any fancy configurations.
A bit of Wiresharking around and the protocol details became exposed for some low-level replication. The payloads were encoded, and the
Content-Type> header hinted at
application/msbin1, which made it pretty clear that it was in .NET Binary Format. Decoding was simple by switching to Fiddler and a WCF Binary Inspector. Having retrieved the payloads sending binary to the private service was quite straight-forward in C#.
... using System.Xml; using System.Net; ... /* Write .NET Binary XML */ System.IO.Stream s = new System.IO.MemoryStream(); XmlWriter binarywriter = XmlDictionaryWriter.CreateBinaryWriter(s); binarywriter.WriteStartElement("Action1", "https://tempuri.org/"); ... binarywriter.Flush(); s.Seek(0, System.IO.SeekOrigin.Begin); byte b = new byte[s.Length]; s.Read(b, 0, (int)s.Length); HttpWebRequest request = (HttpWebRequest)WebRequest.Create("hidden.svc/binary/Action1"); request.Method = "POST"; request.ContentType = "application/msbin1"; request.GetRequestStream().Write(b, 0, b.Length); HttpWebResponse response = (HttpWebResponse)request.GetResponse(); /* Read .NET XML */ b = new byte[response.ContentLength]; response.GetResponseStream().Read(b, 0, b.Length); XmlReader binaryreader = XmlDictionaryReader.CreateBinaryReader(b, XmlDictionaryReaderQuotas.Max); XmlDocument xdoc = new XmlDocument(); xdoc.Load(binaryreader); ...
To consume hidden WCF RIA services on other platforms check out xml2wcf.py