Python Client for DCS Server WebGUI

Experimental Python module that implements an asyncio Client API and CLI for the DCS World Dedicated Server (DCS_server.exe) WebGUI. Supports most WebGUI functions (start missions, pause/resume the server, send/receive chat messages, list/kick/ban players, etc.). For a complete list of currently implemented WebGUI commands and exemplary JSON-encoded return values, see webgui_uris.json. API and CLI support both local and remote use over a suitably configured tunnel or reverse HTTP(S) proxy.

CLI Usage

git clone https://github.com/ActiumDev/dcs-webgui-python.git dcs_webgui
python3 -m dcs_webgui --help
python3 -m dcs_webgui --webgui-url http://127.0.0.1:8088 raw '{"uri": "getMissionInfo"}'
python3 -m dcs_webgui --webgui-url https://127.0.0.1:8443/DCS.server1/WebGUI startMission 42
python3 -m dcs_webgui request getPlayers
python3 -m dcs_webgui request kickPlayer 42 "optional reason"

API Usage

# clone repository or add as submodule to existing repo:
# git clone https://github.com/ActiumDev/dcs-webgui-python.git dcs_webgui
# git submodule add https://github.com/ActiumDev/dcs-webgui-python.git dcs_webgui

import asyncio
import dcs_webgui

webgui = dcs_webgui.AsyncClient("http://127.0.0.1:8088")
print(asyncio.run(webgui.getMissionInfo()))

Disclaimer and Technical Details

This software is neither reverse engineered nor does it expose any WebGUI vulnerabilities.

The communication between the WebGUI client (WebGUI/js/app.js) and server (bin/DCS_server.exe) is encrypted. However, the encryption key is publicly accessible (webKey:"DigitalCombatSimulator.com" in WebGUI/js/app.js). All further encryption details are easily ascertained by trial and error based on educated guesses. The key derivation algorithm is SHA256, the encryption algorithm is AES, and the block cipher mode is CBC, which are all very straightforward choices. Therefore, this consitutes neither reverse engineering nor exposing security by obscurity.

The DCS_server.exe built-in webserver listens globally on *:8088 or any other webgui_port configured in autoexec.cfg. It accepts remote connections, because it does not bind to localhost (127.0.0.1:8088). However, it refuses non-locally originating request with HTTP status code 422 Unprocessable Entity, unless they use a different, secret, and presumably random encryption key securely negotiated with the DCS master server. Consequently, this client can only be used to control a local DCS_server.exe instance. This includes remote instances if the request appears to originate locally, e.g., through transparent port-forwarding or a reverse HTTP proxy that tunnels the request to the DCS_server.exe instance.

To reiterate, the DCS_server.exe WebGUI is not generally remotely accessible or exploitable.

Development

The list of WebGUI commands in webgui_uris.json is generated automatically by an HTTP proxy that forwards incoming requests to a local WebGUI server. Additionally, it decrypts all forwarded WebGUI requests and adds them to above JSON file. Some commands are still missing, feel free to use the WebGUI through the proxy to extend webgui_uris.json. Then run codegen.py, add the new function definitions to client.py, and finally submit a pull request.

This is experimental software. It should do what it's supposed to, but it comes without any compatibility or support promises. Feedback is welcome, but don't expect active development. The current state is more or less feature complete for the author's use case.