Forum Discussion

notdosom's avatar
notdosom
Copper Contributor
Apr 23, 2024

Invoke-Webrequest using secure string

Hello everyone, here is my question, I can't find anything online nor will AI help me (Might be my fault tho) So I want to use some Invoke-Webrequest cmdlts, but I first have to login to the websit...
Invoke-WebRequest
Secure Store
Windows PowerShell
LainRobertson's avatar
LainRobertson
Silver Contributor
Apr 29, 2024

notdosom 

 

Hi, Dominik.

 

It's important to note that a secure string cannot be sent from one machine to another. You can only decrypt a secure string locally on the machine that created the secure string.

 

So, if the system hosting the web application is also creating the secure string containing the password and wants to send that password to another server, it will have to send the plain text version.

 

If the web application is sending the password to another local process running on the same system, you could send it, but it's complicated and - depending on the implementation - comes with the risk of memory leaks (as some unmanaged buffer work is involved where you're responsible for the memory allocation and clean-up).

 

Here's an example of the first approach, where you leverage the [pscredential] type to do all the hard work of the latter approach for you to get the plain text version of the password stored in the secure string.

 

 

I'm not particularly convinced there's much point in storing the encrypted password in memory only to transmit the plain text password over the network (where you'd hopefully be utilising and TLS connection) but that's a judgement call only you can make.

 

Cheers,

Lain

Resources