The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Because ActiveX controls are typically written in native languages like C and

C++, they cannot be trivially decompiled back to source code in the way that

Java applets can be. Nevertheless, because all of the processing performed by

an ActiveX control occurs on the client computer, it is in principle possible for

a user on that computer to fully scrutinize and control that processing, thereby

circumventing any security functions that it implements.

Reverse engineering is a complex and advanced topic, which extends

beyond the scope of this book. However, there are some basic techniques that

even a relatively inexperienced reverse engineer can use to defeat the client-

side security mechanisms implemented within many ActiveX controls.

HACK STEPS

■