Detection of ActiveX & other Mobile code

Incident response
Intrusion management
Microsoft Exchange
Network security
Security management
Hi ! I am trying to extend the functionality of a squid-based proxy to filter out ActiveX, JavaScripts and mobile code in general, from the web pages users will download. I am trying to make it an "intelligent" filter, in the sense of not just plainly removing the <OBJECT> tags from the page, but to look into the actual object to determine what it is and see if it is whitelisted, e.g. it will filter out Activex but let thru Flash... Reading the W3C recommendations for HTML 4.0, it appears the codetype or type attributes of an object determine what type it is. However, I can imagine the bad guys wouldn't rely on them... As far as I understand the way IE works, I should go for the "clsid" as it determines via registry which control to start. My idea would be to deny every object tag except the value of classid which is whitelisted. Besides classid="clsid:..." I believe you can also embed e.g. java applets using the syntax classid="java:...". So the whitelist would check object's classid attribute as a whole and maybe even allow patterns (java:*). What do you experts think? Is this do-able? Are there any other ways to start ActiveX - e.g. through other object attributes? Another problem I am facing is to find websites with built-in ActiveX code so I can examine the page source and check what types/classid they use. If you know of any, please send URL(s). Any other ideas/suggestions would also be very welcome. Many Thanks in advance, Hedgehog.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Why don’t you disallow all but what is in your whitelist? This is easier than only disallowing certain types. As for an active x site try downloading anything from mocrosoft these days as they’ve fully activated their ‘true windows’ policy lately

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Hedgehog
    Hi ve3ofa, Thanks for your answer. At the moment I can only whitelist based on (sub-)domain. It would be preferable to allow certain type of content based on its type (e.g. block activex but allow javascript), hence my question. Do you have any idea how I could recognise the __type__ of content in the OBJECT tag? I have been trawling around the MS site as you recommended and although there are a lot of javascripts, I couldn't find any activex. I would *really* appreciate if you could send me a URL which contained an ActiveX, so I could test the proxy filter. Cheers Hedgehog
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: