[x3d-public] seriot.ch - Parsing JSON is a Minefield 💣
Don Brutzman
brutzman at nps.edu
Mon Jun 11 22:07:58 PDT 2018
[Valuable resource. Among multiple hazards, this document identifies several issues we have coped with and several others we should think about for X3D JSON Encoding.]
Parsing JSON is a Minefield by Nicolas Seriot
http://seriot.ch/parsing_json.php
Session Description.
JSON is the de facto standard when it comes to (un)serialising and exchanging data in web and mobile programming. But how well do you really know JSON? We'll read the specifications and write test cases together. We'll test common JSON libraries against our test cases. I'll show that JSON is not the easy, idealised format as many do believe. Indeed, I did not find two libraries that exhibit the very same behaviour. Moreover, I found that edge cases and maliciously crafted payloads can cause bugs, crashes and denial of services, mainly because JSON libraries rely on specifications that have evolved over time and that left many details loosely specified or not specified at all.
Also available: video (presentation in French, slides in English) at BlackAlps 17 Cyber SEcurity Conference
https://www.youtube.com/watch?v=B598kLov7TA
all the best, Don
--
Don Brutzman Naval Postgraduate School, Code USW/Br brutzman at nps.edu
Watkins 270, MOVES Institute, Monterey CA 93943-5000 USA +1.831.656.2149
X3D graphics, virtual worlds, navy robotics http://faculty.nps.edu/brutzman
More information about the x3d-public
mailing list