Testing Tips

Use the tips below to help you remember key points from the chapter as you examine your control for security defects:

• Never assume anything about your ActiveX control. Use the techniques and tools presented in this chapter to help assess whether malicious HTML can repurpose your control to cause problems:

• For safe controls, walk through each persistent property, nonpersistent property, method, and event, to see whether it can cause the following types of abuse:

  • Control should not make damaging system calls or allow arbitrary code to be run.

  • Control should not modify or destroy information on the computer or bypass security settings.

  • Control should not allow access to information about the computer/ user .

  • Control should not give away any other inappropriate information.

  • Control should not be able to be used in a deceptive manner.

  • Control should not use excessive resources locally.

  • Control should not generate a fault that crashes or hangs the browser or operating system.

• Combine more than one member and more than one control to cause problems.

• Construct test cases that take advantage of exception handling ( try-catch ), member return values, nested objects, and other tricks to pull off malicious attacks.

• ActiveX controls are easy to automate by design. Take advantage of that to automatically retest features or functionality of your control where bugs may be reintroduced.