Application Security Testing: An Integral Part of DevOps
The Web Browser Bands were introduced in IE 4.0 , they provide a child window (can be both Horizontal and Vertical ) within the main explorer window. The Search, History and Favourites bars are examples of this bar.
These bands can be used to customise the explorer, to display information and for taking user input.
a) How they are registered
Bands must be registered as an OLE in-process server that supports apartment threading, the band objects must be registered for appropriate component category. The category determines the object type and it's container: The Vertical Explorer Bar requires registration in CATID_InfoBand and the Horizontal Explorer Bar requires registration in CATID_CommBand.
b) The interfaces they expose
The interfaces a band object must implement are IDeskBand, IObjectWithSite and IPersistStream. We will get into the specifics of interfaces later in the article. If the band object is to accept user input it has to implement IInputObject and for a context menu it has to implement IContextMenu.
About the ATL HTML Control
The HTML control hosts the Intrenet Explorer WebBrowser control thus giving you access to script parsing, rendering and browsing fcilities of IE. By default the user interface of the control is provided by the WebBrowser Control, this covers the entire area of the control. The UI is rendered based on the HTML included in the resource of your project.
The control exposes two interfaces: one is for the clients of the control and the other with an UI suffix is used to extend the object model of the Web Browser(being hosted by our control). The script which can access the object model can also access this interface (as window.external) and can call its functions .Your C++ code can access the object model in this function . This communication process can be exploited to accomplish a variety of tasks. For further details on HTML control Dr Richard Grimes book (Professional ATL COM Programming) is the panacea.
For object registration as in-process server I have used the code provided by ATL. For Registring the band object for Category CATID_InfoBand (for Vertical Explorer Band) I have used interface ICatRegister exposed by the Component Categories manager object CLSID_StdComponentCategoriesMgr.
About the Interfaces:
|IObjectWithSite||This is very critical interface. The explorer calls
the IObjectWithSite::SetSite Method passing its site's
unknown pointer.The following things are achieved during
If the pointer being passed is not NULL then site is being set , using this pointer i obtain the IOleWindow Interface and get the parent window's handle and store it. I then create my HTML control as child of this window. I store the pointer to IInputObject site Interface for use later.Also I obtain a pointer to the IWebBrowser2 interface of the IE (parent) and store for use later.The IObjectWithSite::GetSite wraps call to sites QueryInterface.
|IPersistStream||Since there is no persistent data there is only minimal implementation of this interface.|
|IDeskBand||This interface inherits from IDockingWindow and IOleWindow.The IOleWindow::GetWindow returns the child window handle and ContextSensitive help is not implemented .The IDockingWindow::ShowDW and CloseDW have been implemented but ResizeBorder is not required to be implemented.The IDeskBand::GetBandInfo is used by Explorer to specify the Explorer Bar's identifier and viewing mode.It also may request one or more pieces of information by filling the dwMask member of the DESKBANDINFO structure that is passed as the third parameter|
Interaction With the Script:
I have implented a function named OnNag( ) of the interface ICHTMUI (the interface used by the webbrowser control as explained earlier).The script calls this finction passing the dispatch pointer to the HTML anchor element and the string representing the site to navigate to.I use the IWebBrowser2 interface pointer stored earlier to navigate to the site.Thus a click in the Band object causes navigation in the main IE Window.
The band.dll can be downloaded and registered .The menu item is added in View | Explorer Bars. On selecting the menu the Explorer bar is created .The explorer bar has links to some sites, to which one can navigate( in the main IE Window) by clicking on them
The project can be downloaded and by modifying the HTML resource (carefully) you add your own links and customise the GUI of the band.
The article "Creating Custom Explorer Bars and Desk Bands" in SBN