Hikvision url authorization with credentials?

[DDD1]

Hi,

I've now read the complete internet on how to send username and password to a Hikvision camera to get the MJPEG stream, and I can't figure out a working soution.

Alternative 1:
Some of the pages (including Hikvisions own manual) state that the format should be like this

http://user:password@IP-address/ISAPI/Streaming/channels/101/httppreview

But embedded credentials doesn't work in Chrome any more (Drop support for embedded credentials in subresource requests. - Chrome Platform Status)

Alternative 2:
I found this here: Hikvision cameras for action tiles / ActionTiles Forum / AT Support & Ideas
You are supposed to put the user : password as a base64 encoded string at the end of the url, like this:

http://IP-address/ISAPI/Streaming/channels/101/httppreview?auth=SOME_BASE64_STRING

But this was part of an exploit where you could gain access to the cameras by using a version of this method, so Hikvision has removed this way of auth in later firmwares.

So how do I get my chromium based display software to send the credentials without putting together a javascript to handle it?
Help very much appreciated

 

[SamM]

With option 1,

try NACL plugin

NACL Web Plug-in

Web Plugin Team

chrome.google.com

 

[DDD1]

Thank you for responding.
But I can't install any plugins on my Android unit where I need to access the camera streams. It is running a chromium based software.

 

[chaosengine]

http://xyz:abc@x.x.x.x/ISAPI/Streaming/channels/102/httpPreview

Works for me - tested only substream and substream needs to be set to MJPEG.

Google Chrome Version 83.0.4103.116 (Official Build) (64-bit) - This is Desktop Version, Android also works but shows only a still image.

 

[DDD1]

When I try that and look at the chrome debug terminal (on my computer Version 83.0.4103.116) i get this:
[Deprecation] Subresource requests whose URLs contain embedded credentials (e.g. https://user:pass@host/) are blocked.
See Drop support for embedded credentials in subresource requests. - Chrome Platform Status for more details.

It works if I start by signing in to the camera in the browser. So it's not the link...

 

[DDD1]

Bumping one time, before I give it a rest.
I cant belive that I am the only one struggling with this.

 

[TonyR]

Bumping one time, before I give it a rest.
I cant belive that I am the only one struggling with this.

I don't have a Hikvision or compatible product but having been around the forum since 2014 I recall reading about issues with authentication. Try setting both "WEB" and "RTSP" authentication to "digest/basic", on a similar configuration menu to below.

__

 

[DDD1]

Hi, thank you for responding.
You are correct that the device needs to have basic authentication enabled (it's done on my devices) for this to work. But my issue is that chrome seems to have disabled this method...

 

[TonyR]

Hi, thank you for responding.
You are correct that the device needs to have basic authentication enabled (it's done on my devices) for this to work. But my issue is that chrome seems to have disabled this method...

Maybe it has something to do with clearing basic authentication details in Chrome. I found the 2 suggestions below at stackoverflow, you have nothing to lose to try either or both (CREDIT TO THE AUTHORS):

1) "...In Chrome open an incognito window Ctrl+Shift+n each time you are doing a test. The incognito window will not remember the username and password the last time you entered. To use this trick, make sure to close all incognito windows. All incognito windows share the same cache. In other words, you cannot open multiple independent incognito windows. If you login in one of them and open another one, those two are related and you will see that the new window remembers the authentication information from the first window."

2) "...In Chrome, restart apps and clear the Auth password cache. Type chrome:/restart in the address bar and chrome, with all its apps that are running in background, will restart and the Auth password cache will be cleaned."

 

[mattcaves]

Hi DDD1,

I am also having this issue, tried lots of things...

I'm writing some software with Python/Flask to view the camera feeds on a webpage.

As you've found, it works if I sign into the camera on the main login page, as it seems to authorize it then. Although if I login on one browser and try to connect to the stream on another it doesn't work, so it must be linked to the browser (cookies perhaps?)

I thought of doing an authorization using /ISAPI/Security/userCheck and then trying the .../httpPreview, but that doesn't seem to work.

I've also tried some JS to add the auth headers (as below), that doesn't work either as there is a Cross-Origin Resource Sharing (CORS) issue!

  var xhr = new XMLHttpRequest();
  xhr.responseType = 'blob'; /so you can access the response like a normal URL
  xhr.onreadystatechange = function () {
      if (xhr.readyState == XMLHttpRequest.DONE && xhr.status == 200) {
          var img = document.createElement('img');
          img.src = URL.createObjectURL(xhr.response); /create <img> with src set to the blob
          document.body.appendChild(img);
      }
  };

  / automatically play the first video when page is loaded
  window.addEventListener('DOMContentLoaded', function() {
    xhr.open('GET', 'http://192.168.1.100/ISAPI/Streaming/channels/102/httpPreview', true);
    xhr.setRequestHeader('Authorization', 'Basic VTRtWa46ZdYyVVltZkhpa1pEemLs');
    xhr.send();
  }, false);

There is prehaps a way to do it with Flask acting a proxy, but that isn't ideal as there is some processing being done by the server then, instead of just streaming straight from the camera...

I'm going to keep trying, I'll let you know if I find a way!

Cheers,

Matt

 

[DDD1]

I can't believe that more people doesn't have this problem.
Let's hope for a solution!

 

[vyktormvmpay25]

I have turbo dvr 4.0 and yes I have same problem.. I only needed to use http in order to stream direct to obs studio as that is not suport rtsp links.
Now that I have found my way to stream not being interested to get it working on http because I get only low quality of video.
Over an year trying to get http working.
At the first installation was working.
After few months didn't anymore.
Tried everything and seems that option has been removed/not compatible anymore with new Internet patches/updates.

Service Repair ps4-ps3-xboxone-x360

https://www.twitch.tv/victormures

www.youtube.com

 

[DDD1]

My interest in this is to be able to display CCTV video and pictures on a low spec tablet that's using a chromium based browser in my home automation system.

 

[DDD1]

Anyone tried the digest way of authorization?

 

[mattcaves]

Anyone tried the digest way of authorization?

Yep, I've tried in my Python (see below) and I get a '200 - OK' response back, if I change the password to an incorrect one I get a '401 - Unauthorized' back, so it looks to be working.

    parsed_url = urlparse(url)
    username = parsed_url.username
    password = parsed_url.password
    url_without_credentials = (
        parsed_url.scheme + ':/' +
        parsed_url.hostname + '/ISAPI/Security/userCheck')
    print(url_without_credentials)
    try:
        r = requests.get(
            url_without_credentials,
            auth=HTTPDigestAuth(username, password),
            timeout=0.5)
        except Exception as e:
            print(e)
            else:
                print(r)

I did some more tests in Chrome, if I have a web page with an <img> tag and http://192.168.1.100/ISAPI/Streaming/channels/102/httpPreview as the src at first the stream isn't displayed. If I open another tab and browse to http://192.168.1.100/ISAPI/Security/userCheck, enter the username and password in the popup, then refresh the original <img> page, the stream is displayed fine. It also keeps streaming indefinitely, until you leave/come back to the page and then you have to re-authorize.

There seem to be no cookies involved (I had a look in the debug, nothing is saved locally on the web browser), so the cam must be recognizing it as a session itself with the /userCheck and not requiring a subsequent login with the stream.

I've tried pre-authorizing with the above code in my Python, but it doesn't seem to work, probably because the browser itself isn't doing the auth, so I tried authorizing with the JS I posted above in the browser, but then I run into the CORS issue!

It's really frustrating to say the least!

I think I may just have to proxy the streams through Flask, not ideal, but I think it's the only way...

Cheers,
Matt

 

[mattcaves]

After a bit more research today, the only way I've found to do it is by proxy. Someone has conveniently made a Docker image using Python/Flask for this task!

jantman/python-amcrest-noauth-proxy

I've tried it, it works well, no lag that I can see. On my i5-7600K it's using 2.5%-5% CPU, so not sure how it'll go with 20 cams, but we'll see!

Cheers,
Matt

 

[mattcaves]

Hi G-Man, it looks like this way used to work, but they've disabled it in the later firmware as it was considered an exploit, see DDD1's first post:

Alternative 2:
I found this here: Hikvision cameras for action tiles / ActionTiles Forum / AT Support & Ideas
You are supposed to put the user : password as a base64 encoded string at the end of the url, like this:

http://IP-address/ISAPI/Streaming/channels/101/httppreview?auth=SOME_BASE64_STRING

But this was part of an exploit where you could gain access to the cameras by using a version of this method, so Hikvision has removed this way of auth in later firmwares.

edit:
It may be working for you as you are authorizing the camera first, once you have authorized once in the browser it will work after that.
Try it in a private/incognito window and see if it works, this doesn't for me unfortunately.

 

[memme]

I am using the ISAP stream to get the picture like and running into CORS error on all Browser except Firefox:

<?php header('Access-Control-Allow-Origin: *'); ?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Unbenanntes Dokument</title>
</head>

<body>
<h2>1.</h2> <img src="http://username:password@192.168.1.5/ISAPI/Streaming/Channels/102/picture" />


</body>
</html>

Even when I try to send the CORS header it still does not display the image. Why?

 

[trempa92]

I never had problem using digest auth and C#. Never really used browser with credentials and basic auth.

one of GET request is to check if device is online fetching capability node

var isonline = $"http://{ipAddress}:{port}/ISAPI/System/capabilities";

 public static async Task<bool> PerformOnlineCheck(string url, string username, string password)
        {

            var timeout = TimeSpan.FromSeconds(5);
            try
            {
                CredentialCache credentialCache = new();
                credentialCache.Add(new Uri(url), "Digest", new NetworkCredential(username, password));

                using var httpClientHandler = new HttpClientHandler { Credentials = credentialCache };
                using var httpClient = new HttpClient(httpClientHandler) { Timeout = timeout };

                httpClient.DefaultRequestHeaders.Accept.Clear();
                httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

                var response = await httpClient.GetAsync(url);            

                if (response.Content != null)
                {
                    string responseContent = await response.Content.ReadAsStringAsync();
                }

                return response.IsSuccessStatusCode;
            }
            catch (HttpRequestException ex)
            {
                Console.Error.WriteLine($"HttpRequestException: {ex.Message}");
                if (ex.InnerException != null)
                    Console.Error.WriteLine($"Inner Exception: {ex.InnerException.Message}");
                return false;
            }
            catch (TaskCanceledException ex)
            {
                Console.Error.WriteLine("The request was canceled, this usually indicates a timeout.");
                Console.Error.WriteLine($"TaskCanceledException: {ex.Message}");
                return false;
            }
            catch (Exception ex)
            {
                Console.Error.WriteLine($"An error occurred: {ex.Message}");
                return false;
            }
     
        }