6. The control must implement IObjectWithSite or IOleObject.
7. Link the control with urlmon.lib and wininet.lib.
A better, more though step-by-step process is provided by Microsoft in SiteLock.h, which should be
used for the actual implementation procedure.
Not Signing ActiveX Controls
ActiveX controls should be signed; this allows users to determine whether the binary
installed on their machines actually came from the correct source. By digitally signing
the ActiveX control, users can verify that the control has not been modified, tampered
with, or changed in transit or since it was released. Unsigned ActiveX controls offer no
guarantee of the source, nor do they indicate whether the controls are tamper free. This
becomes significantly more important as third parties either host or place content on
204 Hacking Exposed Web 2.0
a site that is not from the original source, such as web application that host advertisements
on their site from third-party publishers.
Signing ActiveX Software
If an organization uses ActiveX controls to download and install software, the control
should install only executables or cabinet (cab) files that have been signed by the
organization??™s signing key.
Pages:
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366