[x3d-public] [x3dom-developers] X3D JSON Loader and Cross Site Scripting (XSS)

John Carlson yottzumm at gmail.com
Sun Jan 17 01:29:14 PST 2016 

If someone would like to start a security discussion re: scripts in X3D and converting to X3DOM or security in shaders for WebGL, I would be open.

John
> On Jan 17, 2016, at 4:21 AM, John Carlson <jcarlsonprivate at gmail.com> wrote:
> 
> You should not put up index.html from the X3D JSON Loader found here https://github.com/coderextreme/X3DJSONLD/ <https://github.com/coderextreme/X3DJSONLD/> and here http://coderextreme.net/X3DJSONLD/ <http://coderextreme.net/X3DJSONLD/>  without careful consideration of this:
> 
> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet <https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet>
> 
> In particular, I am choosing tags, attribute names, and attributes right out of the JSON and XML without any filtering or checking.    You should validate any JSON or XML being loaded into the X3D JSON Loader (yes I know it’s problematic).  In particular, if you store XML or JSON from untrusted sources and display them in the Loader, it’s likely you will get an XSS attack.  Please sanitize all input from untrusted source and make sure it’s valid.  We don’t currently have XML Schema or XML Schematron for JSON data yet.
> 
> It’s in the license that I will not be liable for damages.  Please use my software with care.  I am not a security researcher.
> 
> If someone wants me to write a sanitizer for the X3D JSON Loader, I am willing to for $$$.  I will need to run it by some security researchers.
> 
> John Carlson
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
> x3dom-developers mailing list
> x3dom-developers at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/x3dom-developers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20160117/5873c0d3/attachment.html>

More information about the x3d-public mailing list