Authorizing usage of ActiveX component

[yogevm]

I've developed an ActiveX component using Visual C++ 6.0 that's used in an HTML page located on a website
protected by password.
This ActiveX should be used only by authorized people.
The ActiveX has a few parameters.

How can I prevent a user / hacker who gets a copy of this OCX in some way, and knows the parameters
needed, from building his own HTML page with this ActiveX and use it without authorization ?

I don't want to put a password protection in the user interface of the ActiveX component, since the
website the ActiveX is located in is password protected.

 

[dilettante]

You posed an interesting problem...

My solution is to use the ActiveX component's InitProperties event to validate the URL of the page containing the proprietary control.

To prevent hackers or ripoff artists from easily changing the validation string in the object's code, I decided to use a simple hash.

I RADded this out in VB to reply quickly - hope you can easily implement the same concept in your C++ object.

Note that the page's URL is returned URL-encoded. In my local test case the page ends up stored locally, and for whatever reason such file URLs come back with a leading "/" character. Experiment with it!

I've tried to pre-fold the code so it won't get too mangled here, thus the HUGE number of VB line-continuations:

Option Explicit

'Secure my ActiveX Control from thieves!

'Example: [URL unfurl="true"]http://www.me.com/[/URL]
'Const clngLegal As Long = 27625
'Const clngLen As Long = 18

'/C:\Program%20Files\Microsoft%20Visual%20StudioConst clngLegal As Long = 76194
Const clngLen As Long = 48

Private Sub CheckLegality()
  If Hash(Left(Parent.location.pathname, _
    clngLen)) <> clngLegal Then
      Err.Raise vbObjectError + &H2666, _
        App.EXEName, _
        &quot;Illegal use of proprietary code&quot;
  End If
End Sub

Private Function _
    Hash(ByVal strPath As String) As Long
  Dim i As Long
  
  strPath = LCase(strPath)
  For i = 1 To Len(strPath)
    Hash = Hash + _
      Asc(Mid(strPath, i, 1))
  Next
  Hash = Hash * 17
End Function

Public Sub DoSomething()
  MsgBox &quot;My component in action!&quot;
End Sub

Private Sub Command1_Click()
  DoSomething
End Sub

Private Sub UserControl_InitProperties()
  CheckLegality
End Sub

Here is a short VBScript for calculating the hash value to hardcode into your object:

Function Hash(ByVal strPath)
  Dim i
  
  strPath = LCase(strPath)
  For i = 1 To Len(strPath)
    Hash = Hash + _
      Asc(Mid(strPath, i, 1))
  Next
  Hash = Hash * 17
End Function

s = InputBox _
  ("Warning - Use %20 for spaces" & _
  vbCrLf & "URL Prefix to hash:")
MsgBox "Hash: " & CStr(Hash(s)) & _
  vbCrLf & "  Len: " & CStr(Len(s))

Note my use of aggressive line-folding here too.

Hope this helps give you ideas!

Be sure to encode your site's PREFIX and not the whole URL, else you'll be changing your object a lot or compiling copies for every page you use it on!

For the truly paranoid, change the prime constant 17 to something else so over-the-shoulder types here don't know what you are up to. Maybe 3, maybe a whole new hashing algorithm.

For the less paranoid chop the whole dang Hash thing out entirely.

Don't you just hate those "the web is open source" nuts when your boss/client is breathing down your neck with the company's Security Dude perched on his shoulder?

P.S. -

I'd love to hear about exploits that circumvent this. Am I missing anything really obvious here?

 

[dilettante]

Sorry. Maybe I should have added that I made that test object above as a VB 6 ActiveX Control, with one command button as an easy way to manually invoke a method.

This let me just run the danged thing from inside the VB IDE, and it came up with that local page to host the object on its own.

Cheers! I really hope this gives you some ideas.

 

[dilettante]

BTW -

You could probably just close the hacker dude's browser window via

Parent.close[\code] too.  That might mess him up more than simply throwing an exception!

 

[dilettante]

Well if you can't close his window, just redirect him via:

Parent.location = "

http://www.fbi.gov"

That might scare 'em!

Or send him someplace boring, or even to AOL's home page! Or a nasty warning page at your own site? No, not worth tempting fate.

But now that I think about it they might just trap that exception in their pages. So you'll want to set a boolean "Legal" or something, and check it on every bit of code they might invoke - or else do that redirect thingy!

Wow, this is SO evil!

 

[yogevm]

Thank you ver much for your suggestion, but I cannot use it.
This ActiveX is distributed with a web application my company has developed, that different websites can install and use, so I can't hard code the URL inside my code...
I was surprised I didn't get more solutions to my problem. I fin it hard to believe I'm the only one who has this problem.

 

[dilettante]

Well, another option is to simply:

1.) Choose a tougher hash algorithm, it wouldn't take much to improve on what I suggested.

2.) Pass the hash (and possibly the length) as properties to the object, such as via <PARAM> tags.

3.) Do the &quot;URL validation&quot; somewhere later than InitProperties, like in some very primary method which is required to make the object work. Could even just accept the hash & len as parameters to this method.

4.) Provide the customer with a stand-alone program containing the hash algorithm, which they'd use to generate the &quot;keys&quot; for their own site. This code wouldn't be posted on their web site for free access anyhow, and you could have a customer-specific license requirement as with any other desktop software.

BTW -

If you only need to validate the host and not anything further you could just check

Parent.location.host

- then you won't need this &quot;length&quot; jazz.

I was allowing for people who want an ActiveX Control restricted to a folder on a given host. Example:

Allow...

[URL unfurl="true"]http://www.hostingco.com/fredco/[/URL]

But not...

[URL unfurl="true"]http://www.hostingco.com/samcorp/[/URL]

Last thoughts -

There isn't a lot else you can do to &quot;license&quot; a control to a site. At least not that I know of. Even if you use an LPK file (which you'll probably need too if your control uses any controls itself), a thief could just download and use it too.

I am as surprised as you that this question hasn't resulted in a lot more responses. Seems like I spend a good 10% of my time trying to &quot;secure&quot; things within reason for my clients.

Perhaps this might better be cross-posted to either the HTML & CSS forum or perhaps better yet the InterDev forum?