I try to use Static or Dynamic File Analysis APIs (https://api.labs.sophos.com/doc/analysis/file/static), but always get a response: BAD REQUEST
Here are my examples of request and exception:
$headers
Name Value
---- -----
Authorization <Auth token>
Content-Type multipart/form-data
$formData
Name Value
---- -----
file C:Tempmexnixzv.gskoutlook.exe
name file
filename outlook.exe
report_format json
$uri
https://de.api.labs.sophos.com/analysis/file/static/v1/
Invoke-WebRequest -URI $uri -Method POST -Headers $headers -Form $formData -UseDefaultCredentials
$_.Exception
Response : StatusCode: 400, ReasonPhrase: 'BAD REQUEST', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
{
Connection: keep-alive
Date: Wed, 25 Sep 2024 07:16:05 GMT
Access-Control-Allow-Headers: Authorization, X-Correlation-ID, *
Server: Sophos Intelix
Content-Security-Policy: default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'
Referrer-Policy: same-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Request-ID: db629807-65b5-4937-940e-0e62bd548320
X-Rate-Limit-Value: 30
X-Rate-Limit-Period: 60
X-Rate-Limit-Requests-Left: 29
X-Rate-Limit-End: 0.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
X-Cache: Error from cloudfront
Via: 1.1 cf058b286fa80390c08073fa68269f12.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: TXL50-P1
X-Amz-Cf-Id: 5vr6sgHb7DeHswIg9F9WAqwzhSesGbw8CvudJEqP7husRI2gKUKVIg==
Content-Type: application/json
Content-Length: 120
}
HttpRequestError : Unknown
StatusCode : BadRequest
TargetSite : Void ThrowTerminatingError(System.Management.Automation.ErrorRecord)
Message : Response status code does not indicate success: 400 (BAD REQUEST).
Data : {}
InnerException :
HelpLink :
Source : System.Management.Automation
HResult : -2146233088
StackTrace : at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
I have tried different file formats (excel, csv, jpg), different sizes (several MB and a few bytes) and different methods (PowerShell, curl, directly on the website https://api.labs.sophos.com/doc/analysis/file/static). The response is always the same: 400, BAD REQUEST
What am I doing wrong or is something broken on the API side?
mvdtm is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I’m afraid your request is malformed. I would do the submission workflow like this:
param(
[Parameter(Position=0, Mandatory=$true)]
[string]$filePath,
[Parameter(Position=1, Mandatory=$true)]
[string]$clientId,
[Parameter(Position=2, Mandatory=$true)]
[string]$clientSecret,
[Parameter(Position=3)]
[string]$authEndPoint = 'https://api.labs.sophos.com/oauth2/token',
[Parameter(Position=4)]
[string]$submissionEndPoint = 'https://de.api.labs.sophos.com/analysis/file/static/v1/'
)
$ErrorActionPreference = 'Stop'
$resp = Invoke-RestMethod `
-Uri $authEndPoint `
-Method Post `
-Headers @{
'Content-Type'='application/x-www-form-urlencoded';
'Authorization'="Basic $([Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($clientId + ':' + $clientSecret)))"
} `
-Body 'grant_type=client_credentials'
$boundary = [Guid]::NewGuid().ToString()
$resp = Invoke-RestMethod `
-Uri $submissionEndPoint `
-Method Post `
-Headers @{
'Content-Type'="multipart/form-data; boundary=$boundary";
'Authorization'=$resp.access_token
} `
-Body @"
--$boundary
Content-Disposition: form-data; name="file"; filename="$([IO.Path]::GetFileName($filePath))"
Content-Type: application/octet-stream
$([IO.File]::ReadAllBytes($filePath))
--$boundary--
"@
Write-Host $resp
Dénes Solti is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Thank you for your answer here. Unfortunately, that didn’t solve my problem, but it pointed me in the right direction. For whatever reason, the data sent using your script has different sha256 values on both sides. But I found a good example in the Microsoft documentation: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4#example-5-submit-a-multipart-form-data-file
And here is the code that works for me:
param(
[Parameter(Mandatory=$true)]
[string]$filePath,
[Parameter(Mandatory=$true)]
[string]$sessionToken
)
$fieldName = 'file'
$contentType = 'application/octet-stream'
$headers = @{
Authorization = $sessionToken
"Content-Type" = "multipart/form-data"
}
$FileStream = [System.IO.FileStream]::new($filePath, [System.IO.FileMode]::Open)
$FileHeader = [System.Net.Http.Headers.ContentDispositionHeaderValue]::new('form-data')
$FileHeader.Name = $fieldName
$FileHeader.FileName = Split-Path -leaf $filePath
$FileContent = [System.Net.Http.StreamContent]::new($FileStream)
$FileContent.Headers.ContentDisposition = $FileHeader
$FileContent.Headers.ContentType = [System.Net.Http.Headers.MediaTypeHeaderValue]::Parse($contentType)
$MultipartContent = [System.Net.Http.MultipartFormDataContent]::new()
$MultipartContent.Add($FileContent)
try {
# send request
$response = Invoke-WebRequest -URI $uri -Method POST -Headers $headers -Body $MultipartContent
} catch {
$statusCode = [int]$_.Exception.Response.StatusCode
}
mvdtm is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.