Abhishek Dwivedi
TechFreakiez.com
The HTA Applications
Introduction: HTA applications are one of the most dangerous (atleast I think so) part of Web Designing. HTA’s are basically a cross between the Web-Pages and Executable files. With the help of HTA, it is now possible to make a complex application to work on the web without making an .exe of it!
Security: HTA’s are no doubt useful but it also has a darker side. The HTA applications are big threat to system security as they provide full access to the system resources without any warning or checking any security settings of the browser. IN SHORT, IT WORKS AS A TRUSTED APPLICATION.
The Good part of HTA is that it does not open as a Webpage on the web but asks the user to either RUN or SAVE it.
Few Programs: (only ie4 and above support HTA)
Making folder:
<html>
<head>
<HTA:APPLICATION ID="htapp">
</head>
<body>
<object id=wsh classid=clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B></object>
<script language=vbscript>
set wshshell=createobject ("wscript.shell")
a=wshshell.run("cmd.exe /c md abhishek",0)
</script>
Folder made!
</body>
</html>
When you save the above code as name.hta and execute it, a window will open with FOLDER MADE! written on it and a new folder will be created at the same location where the HTA file is kept.
Now remove <HTA:APPLICATION ID=”htapp”> from the above code and save it as name.html and now run it. Now you will be able to see the difference between HTA and HTML Applications.
Web Browser:
<html>
<head>
<title>Abhi Internet Browser</title>
<HTA:APPLICATION APPLICATIONNAME="Abhi Internet Browser" Windowstate="normal" sysmenu="yes">
</head>
<body>
<span id=abar style="overflow none">
<span id=AText><b>URL:</b></span>
<input type=text value="" id=URL width="60" style="width:expression(document.body.clientWidth-AText.offsetWidth - AGo.offsetWidth -85)">
<input type=button value="Go" id=AGo onclick="navigate()"><br>
<span>
<br>
<iframe src="techabhi.wordpress.com" id=data style="width:100%;height:85%"></iframe>
<script language=jscript>
function navigate()
{
document.all.data.src=URL.value;
}
function clickshortcut()
{
if (window.event.keycode==13){ navigate() }
}
URL.onkeypress=clickshortcut;
</script>
</body>
</html>
Now save this code as name.hta and run it. You can see a small web browser has been made and it can even access you HDD when you type x:\ and press GO button.
Now save this file as name.html and run it. You can still see the address bar and the GO button but you will not be able to surf the web nor access your HDD until you allow the scripts and active-X to run through your browser.
This means that you can very well view the non-scripted part of the HTA on web browsers but not the scripted part.
Conclusion: I request everyone, who have read this article, not to misuse the above provided code as I have tried to explain my point with these code and they are meant only for educational purpose. Hope you guys like it...
Introduction: HTA applications are one of the most dangerous (atleast I think so) part of Web Designing. HTA’s are basically a cross between the Web-Pages and Executable files. With the help of HTA, it is now possible to make a complex application to work on the web without making an .exe of it!
Security: HTA’s are no doubt useful but it also has a darker side. The HTA applications are big threat to system security as they provide full access to the system resources without any warning or checking any security settings of the browser. IN SHORT, IT WORKS AS A TRUSTED APPLICATION.
The Good part of HTA is that it does not open as a Webpage on the web but asks the user to either RUN or SAVE it.
Few Programs: (only ie4 and above support HTA)
Making folder:
<html>
<head>
<HTA:APPLICATION ID="htapp">
</head>
<body>
<object id=wsh classid=clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B></object>
<script language=vbscript>
set wshshell=createobject ("wscript.shell")
a=wshshell.run("cmd.exe /c md abhishek",0)
</script>
Folder made!
</body>
</html>
When you save the above code as name.hta and execute it, a window will open with FOLDER MADE! written on it and a new folder will be created at the same location where the HTA file is kept.
Now remove <HTA:APPLICATION ID=”htapp”> from the above code and save it as name.html and now run it. Now you will be able to see the difference between HTA and HTML Applications.
Web Browser:
<html>
<head>
<title>Abhi Internet Browser</title>
<HTA:APPLICATION APPLICATIONNAME="Abhi Internet Browser" Windowstate="normal" sysmenu="yes">
</head>
<body>
<span id=abar style="overflow none">
<span id=AText><b>URL:</b></span>
<input type=text value="" id=URL width="60" style="width:expression(document.body.clientWidth-AText.offsetWidth - AGo.offsetWidth -85)">
<input type=button value="Go" id=AGo onclick="navigate()"><br>
<span>
<br>
<iframe src="techabhi.wordpress.com" id=data style="width:100%;height:85%"></iframe>
<script language=jscript>
function navigate()
{
document.all.data.src=URL.value;
}
function clickshortcut()
{
if (window.event.keycode==13){ navigate() }
}
URL.onkeypress=clickshortcut;
</script>
</body>
</html>
Now save this code as name.hta and run it. You can see a small web browser has been made and it can even access you HDD when you type x:\ and press GO button.
Now save this file as name.html and run it. You can still see the address bar and the GO button but you will not be able to surf the web nor access your HDD until you allow the scripts and active-X to run through your browser.
This means that you can very well view the non-scripted part of the HTA on web browsers but not the scripted part.
Conclusion: I request everyone, who have read this article, not to misuse the above provided code as I have tried to explain my point with these code and they are meant only for educational purpose. Hope you guys like it...
