The HTA applications

[Abhishek Dwivedi]

The HTA Applications


Introduction: HTA applications are one of the most dangerous (atleast I think so) part of Web Designing. HTA’s are basically a cross between the Web-Pages and Executable files. With the help of HTA, it is now possible to make a complex application to work on the web without making an .exe of it!

Security: HTA’s are no doubt useful but it also has a darker side. The HTA applications are big threat to system security as they provide full access to the system resources without any warning or checking any security settings of the browser. IN SHORT, IT WORKS AS A TRUSTED APPLICATION.
The Good part of HTA is that it does not open as a Webpage on the web but asks the user to either RUN or SAVE it.

Few Programs: (only ie4 and above support HTA)

Making folder:
<html>
<head>
<HTA:APPLICATION ID="htapp">
</head>
<body>
<object id=wsh classid=clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B></object>
<script language=vbscript>
set wshshell=createobject ("wscript.shell")
a=wshshell.run("cmd.exe /c md abhishek",0)
</script>
Folder made!
</body>
</html>

When you save the above code as name.hta and execute it, a window will open with FOLDER MADE! written on it and a new folder will be created at the same location where the HTA file is kept.

Now remove <HTA:APPLICATION ID=”htapp”> from the above code and save it as name.html and now run it. Now you will be able to see the difference between HTA and HTML Applications.

Web Browser:
<html>
<head>
<title>Abhi Internet Browser</title>
<HTA:APPLICATION APPLICATIONNAME="Abhi Internet Browser" Windowstate="normal" sysmenu="yes">
</head>
<body>
<span id=abar style="overflow none">
<span id=AText><b>URL:</b></span>
<input type=text value="" id=URL width="60" style="width:expression(document.body.clientWidth-AText.offsetWidth - AGo.offsetWidth -85)">
<input type=button value="Go" id=AGo onclick="navigate()"><br>
<span>
<br>
<iframe src="techabhi.wordpress.com" id=data style="width:100%;height:85%"></iframe>
<script language=jscript>
function navigate()
{
document.all.data.src=URL.value;
}
function clickshortcut()
{
if (window.event.keycode==13){ navigate() }
}
URL.onkeypress=clickshortcut;
</script>
</body>
</html>

Now save this code as name.hta and run it. You can see a small web browser has been made and it can even access you HDD when you type x:\ and press GO button.
Now save this file as name.html and run it. You can still see the address bar and the GO button but you will not be able to surf the web nor access your HDD until you allow the scripts and active-X to run through your browser.
This means that you can very well view the non-scripted part of the HTA on web browsers but not the scripted part.

Conclusion: I request everyone, who have read this article, not to misuse the above provided code as I have tried to explain my point with these code and they are meant only for educational purpose. Hope you guys like it...

[anarkiLeo]

Nice one Abhishek... thanks for sharing..keep it up.... can you recommend me some websites or some pdf docs on HTA technology.

[Abhishek Dwivedi]

thx for da sweet comment anarkiLeo...try googling for HTA applications...u'll find a lot of data...i personaly do not have any ebook on da topic...

[topgear]

Thanks Abhishek Dwivedi

Thanks Abhishek Dwivedi

[Masroor]

nice, but the browser is not runing fast.... why???

[Abhishek Dwivedi]

well...dat is not a fully loaded web browrer...its just a small HTA app so u can expect much frm it...its gud when u got nuthing...lolz

[Masroor]

Nice!. but the browser is not working.

[Abhishek Dwivedi]

i can't understand u...chk da code...it shud wrk...