Inherently dangerous methods such as

LaunchExe

can often be identi-

fied simply by their name. In other cases, the name may be innocuous or

obfuscated, but it may be clear that interesting items such as file names,

URLs, or system commands are being passed as parameters. You should

try modifying these parameters to arbitrary values and determine

whether the control processes your input as expected.

It is common to find that not all of the methods implemented by a control

are actually invoked anywhere within the application. For example, methods

may have been implemented for testing purposes, may have been superseded

but not removed, or may exist for future use or self-updating purposes. To per-

form a comprehensive test of a control, it is necessary to enumerate all of the

attack surface it exposes through these methods, and test all of them. 

Various tools exist for enumerating and testing the methods exposed by

ActiveX controls. One useful tool is COMRaider by iDefense, which can dis-

play all of a control’s methods and perform basic fuzz testing of each, as

shown in Figure 12-12.