Application Security Testing: An Integral Part of DevOps
Internet users often can change their IE settings (from Tools ->Internet Options). For example, the font settings can be changed to bold. If an application embeds IE, it might be interested in knowing when the font setting has changed, so it can use the new font. This article discusses a method to know when exactly an IE setting has changed. A sample application is provided that monitors changes in IE's multimedia and zone related settings.
When a user changes IE settings, IE sends WM_SETTINGCHANGE to all top-level windows. In order for an application to take advantage of this, it should handle this message. The message merely signifies that a setting has changed. It is up to the application to look at relevant places (Registry, zone manager, and so forth) to know exactly what setting has changed. Here, I have described ways to monitor the following settings in IE. The steps to access the property from menu are shown in Column 2.
|Play Sound||Internet Options -> Advanced|
|Play Video||Internet Options -> Advanced|
|Show Pictures||Internet Options -> Advanced|
|Active Scripting||Internet Options -> Security -> Internet Zone -> Scripting|
|Scripting of Java Applets||Internet Options -> Security -> Internet Zone -> Scripting|
Play Sound, Play Video, and Show Pictures can be configured as Enable, Disable, or Prompt from the Advanced tab. IE maintains their settings in the Registry under HKCU\Software\Microsoft\Internet Explorer\Main. Applications should look for any change under this path in the Registry to know whether these multimedia settings have changed. The subkeys they use in the Registry are provided below.
|Play Video||Display Inline Videos|
|Show Pictures||Display Inline Images|
The data type used for these subkeys is string. A "yes" indicates the property has been enabled. A "no" indicates the property is disabled.
Users can set the script setting for each of the zones available on the Tools -> Internet Options -> Security tab. The description of zones is beyond the scope of this document. Description on zones can be found at http://www.nwnetworks.com/iezones.htm and http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp. This part of the document discusses monitoring script settings in Internet Zone.
The Active Scripting and Scripting properties of Java Applets can be set to have the following Action Policies associated with them.
|URLPOLICY_ALLOW||Always allows scripts to be downloaded|
|URLPOLICY_DISALLOW||Always blocks scripts from being downloaded|
|URLPOLICY_QUERY||Prompts the user to know whether the script can be allowed to be downloaded|
Internet Zone Manager
Internet Zone Manager is an object that manages zones. Windows comes with a default URL Zone Manager (available in urlmon.dll). The Zone Manager implements the IInternetZoneManager Interface. An application can use this COM object to know about the Action Policy for the script settings. The GetZoneActionPolicy function can be used to know about the action policy set for URLs in any zone. The usage is as follows.
/* Create the object */ hr = CoCreateInstance(CLSID_InternetZoneManager, NULL, CLSCTX_INPROC_SERVER, IID_IInternetZoneManager, (void**)&pZoneMgr); /* Get the Action Policy for Scripts */ DWORD bytePolicy; size_t iSize = sizeof(bytePolicy); hr = pZoneMgr->GetZoneActionPolicy( URLZONE_INTERNET, URLACTION_SCRIPT_RUN, (BYTE*)&bytePolicy, iSize, URLZONEREG_HKCU);
At startup, the application gets the Action Policy and, upon receiving WM_SETTINGCHANGE, again uses the Zone Manager to know whether the script setting in the zone has changed.
Internet Security Manager
Applications, such as a BHO or one that embeds IE, might need to dynamically determine the zone of the URL visited. Such applications need not monitor for WM_SETTINGCHANGE because they need to know the zone of a URL and action associated with it only when the request for navigation comes in. They can make use of another default COM object, CLSID_InternetSecurityManager, to know the zone under which the URL comes. The usage is as follows.
/*Create Zone Manager */ hr = CoCreateInstance( CLSID_InternetZoneManager, NULL, CLSCTX_INPROC_SERVER, IID_IInternetZoneManager, (void**)&pZoneMgr); /* Create Security Manager */ hr = CoCreateInstance(CLSID_InternetSecurityManager, NULL, CLSCTX_INPROC_SERVER, IID_IInternetSecurityManager, (void**)&pSecurityMgr); /*Know the Zone */ pSecurityMgr->MapUrlToZone( szUrl, &dwZone, 0 ); /* Know the Action Policy */ DWORD bytePolicy; size_t iSize = sizeof(bytePolicy); hr = pZoneMgr->GetZoneActionPolicy( dwZone, URLACTION_SCRIPT_RUN, (BYTE*)&bytePolicy, iSize , URLZONEREG_HKCU);