rhoepperger
asked on
How to protect HTML code that is displayed inside a CHtmlView
Hello,
A friend of mine wants to protect webpages. He wants to block access to the HTML code of displayed webpages.
For this purpose he created a program that uses CHtmlView to show webpages and wants to create a second thread that basicall constantly checks if the surroundings are "safe". As soon as an attack on the HTML code is detected, the displayed web-page would be removed.
Now I know it is fairly easy to attach to a running instance of IE or use browser helper objects or other methods to gain access to the insides of IE and there is always the cache-problem too.
So my question:
Does anybody have suggestions
a) how to reliably turn off caching of the loaded pages?
b) how to check for code-sniffing browser-helper objects before and during the display of the pages
(and just close the webpage if an "attack" is detected). Is there an enumeration function that
gives a list of the installed helper objects? Is there an instance counter that we could use
to detect if somebody tries to connect to our IE ?
c) suggestions for other attacks to get the source-code? (Don't worry about the transport between
the server and the user's machine. That is being done encrypted. The problem starts once
the IE instance renders the web-page.) So do you know of other ways to get to the HTML code?
And lastly your take on how probable it is that my friend can shut down all loopholes so that access
to the HTML-code is made VERY tough (read: is restricted to very sophisticated and clever hackers).
Thank you all for your help!
Kind regards
Reinhard
A friend of mine wants to protect webpages. He wants to block access to the HTML code of displayed webpages.
For this purpose he created a program that uses CHtmlView to show webpages and wants to create a second thread that basicall constantly checks if the surroundings are "safe". As soon as an attack on the HTML code is detected, the displayed web-page would be removed.
Now I know it is fairly easy to attach to a running instance of IE or use browser helper objects or other methods to gain access to the insides of IE and there is always the cache-problem too.
So my question:
Does anybody have suggestions
a) how to reliably turn off caching of the loaded pages?
b) how to check for code-sniffing browser-helper objects before and during the display of the pages
(and just close the webpage if an "attack" is detected). Is there an enumeration function that
gives a list of the installed helper objects? Is there an instance counter that we could use
to detect if somebody tries to connect to our IE ?
c) suggestions for other attacks to get the source-code? (Don't worry about the transport between
the server and the user's machine. That is being done encrypted. The problem starts once
the IE instance renders the web-page.) So do you know of other ways to get to the HTML code?
And lastly your take on how probable it is that my friend can shut down all loopholes so that access
to the HTML-code is made VERY tough (read: is restricted to very sophisticated and clever hackers).
Thank you all for your help!
Kind regards
Reinhard
ASKER
Williamcampbell, thank you for your tip, but the problem is, EVENTUALLY the Internet Explorer that renders the page knows the complete HTML code. And that code is stored inside the "Document" object and can be read out by some other program or hacker.
Your tip helps against normal users, but not against programmers who can deal with Browser helper objects and other stuff like that.
But thank you for your tip.
Reinhard
Your tip helps against normal users, but not against programmers who can deal with Browser helper objects and other stuff like that.
But thank you for your tip.
Reinhard
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1) There is a Meta Tag called CACHE (maybe UPDATECAHCE)which when set to zero will stop IE Caching the page.
I don't see how a programmer could get to the Document object inside IE. Unless they intercepted the Encryped HTML before it gets to IE inserted a function into OnLoad that gives them access to doc. But by then they already have the HTML.
Is there an Interface for querying an instance of IExplore.exe for its document object structure?
ASKER
williamcampbell,
there are browser helper objects, running program tables and all kinds of other stuff how to connect to a running instance of IE. And as soon as the connection is made you can access the HTML code from the inside. THAT should be prevented if possible!
keitha1,
your answer is VERY VERY interesting! But unfortunately I am not a COM programmer (I just have some working knowledge of it). Is there a way that you could elaborate your answer a bit? It is not some event that I need to conceal but simply access to the document object should be restricted by running it through some of my own code.
How would I do that? Would you be able to write something like this for me and I pay you through PayPal or so? If so, please contact me at office@hope-soft.co.at
I believe we are on the right track with your answer.
I very much look forward to hearing more about that.
Reinhard
there are browser helper objects, running program tables and all kinds of other stuff how to connect to a running instance of IE. And as soon as the connection is made you can access the HTML code from the inside. THAT should be prevented if possible!
keitha1,
your answer is VERY VERY interesting! But unfortunately I am not a COM programmer (I just have some working knowledge of it). Is there a way that you could elaborate your answer a bit? It is not some event that I need to conceal but simply access to the document object should be restricted by running it through some of my own code.
How would I do that? Would you be able to write something like this for me and I pay you through PayPal or so? If so, please contact me at office@hope-soft.co.at
I believe we are on the right track with your answer.
I very much look forward to hearing more about that.
Reinhard
Ok, what you want can be boiled down to basically the holy grail of security. There is no way to absolutely protect the document. On the bright side, I am going to mail you a little program I wrote that mimics IE (using a CHtmlView class). It walks the document through the DOM interface and revectors certain events to use a custom IDispatch rolled event.
This program is a good example of what a programmer can do with your document. If they can simply aquire your document through an http request, then they can use their own custom browser to do just about anything they want.
I'll give instructions in the email.
This program is a good example of what a programmer can do with your document. If they can simply aquire your document through an http request, then they can use their own custom browser to do just about anything they want.
I'll give instructions in the email.
ASKER
Hello Keith,
Thanks a LOT for your generous help! This is awesome. And I already sent you private email.
Thanks a lot!
Reinhard
Thanks a LOT for your generous help! This is awesome. And I already sent you private email.
Thanks a lot!
Reinhard
I would very much like to accept Keith's answer. Thank you VERY much for it Keith.
Dan, please accept Keith's answer for me as I do not see the "Accept answer" buttons (don't know why).
Thanks a lot to both of you!
Kind regards
Reinhard
Dan, please accept Keith's answer for me as I do not see the "Accept answer" buttons (don't know why).
Thanks a lot to both of you!
Kind regards
Reinhard
Hi Dan,
My name in Austria is Höpperger which in English can be represented as hoepperger or hopperger. As experts-exchange did not allow umlauts, I used rhoepperger while I was still living in Europe. I moved to America 4 years ago and here my name is Hopperger and so I used rhopperger as my username. That's probably how this two account-scenario happened.
Anyway, I CAN log on as rhopperger (the newer account) but no matter what I try, I CANNOT log on as rhoepperger. I get a weird error page (SQL errors and such...) if I try.
So I have no means of loging on as rhoepperger and also cannot give anybody the points for the answer.
As I cannot log onto the site as rhoepperger anyway, there will also be no more problem in the future. The few questions that are still open as rhoepperger will be closed soon and every new question will be under rhopperger.
Please deal with the question as you see fit. Thanks.
Kind regards
Rhopperger
My name in Austria is Höpperger which in English can be represented as hoepperger or hopperger. As experts-exchange did not allow umlauts, I used rhoepperger while I was still living in Europe. I moved to America 4 years ago and here my name is Hopperger and so I used rhopperger as my username. That's probably how this two account-scenario happened.
Anyway, I CAN log on as rhopperger (the newer account) but no matter what I try, I CANNOT log on as rhoepperger. I get a weird error page (SQL errors and such...) if I try.
So I have no means of loging on as rhoepperger and also cannot give anybody the points for the answer.
As I cannot log onto the site as rhoepperger anyway, there will also be no more problem in the future. The few questions that are still open as rhoepperger will be closed soon and every new question will be under rhopperger.
Please deal with the question as you see fit. Thanks.
Kind regards
Rhopperger
Have you tried generating all html code from inside a .js (javascript) file. When the html source is viewed all that the user sees is something like
include "mypage.js"
OnLoad ( "GeneratePage" )
Would have to look up my Javascript book, been a while.