You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<section><h2id="security">Security and Privacy</h2>
4075
4069
<p>
4076
4070
A detailed discussion of security and privacy considerations for the Web of Things, including a threat model that can be adapted to various circumstances, is
4077
-
presented in the informative document [[!WOT-SECURITY]].
4071
+
presented in the informative document [[!wot-security]].
4078
4072
This section discusses only security and privacy risks and possible mitigations
4079
4073
directly relevant to the scripts and WoT Scripting API.
4080
4074
</p>
4081
4075
<p>
4082
4076
A suggested set of best practices to improve security for WoT devices and
4083
-
services has been documented in [[!WOT-SECURITY]].
4077
+
services has been documented in [[!wot-security]].
4084
4078
That document may be updated as security measures evolve.
4085
4079
Following these practices does not guarantee security,
4086
4080
but it might help avoid commonly known vulnerabilities.
@@ -4122,7 +4116,7 @@ <h3>Corrupted Input Security and Privacy Risk</h3>
4122
4116
using WoT interface it exposes.
4123
4117
</p>
4124
4118
<dl><dt>Mitigation:</dt><dd>
4125
-
Implementors of this API SHOULD perform validation on all script inputs. In addition to input validation, <ahref="https://en.wikipedia.org/wiki/Fuzzing">fuzzing</a> should be used to verify that the input processing is done correctly. There are many tools and techniques in existence to do such validation. More details can be found in [[!WOT-SECURITY]].
4119
+
Implementors of this API SHOULD perform validation on all script inputs. In addition to input validation, <ahref="https://en.wikipedia.org/wiki/Fuzzing">fuzzing</a> should be used to verify that the input processing is done correctly. There are many tools and techniques in existence to do such validation. More details can be found in [[!wot-security]].
4126
4120
</dd></dl>
4127
4121
</section>
4128
4122
@@ -4151,7 +4145,7 @@ <h3>Provisioning and Update Security Risk</h3>
4151
4145
Post-manufacturing provisioning or update of scripts,
4152
4146
WoT Scripting Runtime or any related data should be done in a secure fashion.
4153
4147
A set of recommendations for secure update and post-manufacturing
A script instance may receive data formats defined by the TD, or data formats defined by the applications. While the WoT Scripting Runtime SHOULD perform validation on all input fields defined by the TD, scripts may be still exploited by input data.
4181
4175
</p>
4182
4176
<dl><dt>Mitigation:</dt><dd>
4183
-
Script developers should perform validation on all application defined script inputs. In addition to input validation, <ahref="https://en.wikipedia.org/wiki/Fuzzing">fuzzing</a> could be used to verify that the input processing is done correctly. There are many tools and techniques in existence to do such validation. More details can be found in [[!WOT-SECURITY]].
4177
+
Script developers should perform validation on all application defined script inputs. In addition to input validation, <ahref="https://en.wikipedia.org/wiki/Fuzzing">fuzzing</a> could be used to verify that the input processing is done correctly. There are many tools and techniques in existence to do such validation. More details can be found in [[!wot-security]].
4184
4178
</dd></dl>
4185
4179
</section>
4186
4180
@@ -4192,7 +4186,7 @@ <h3>Denial of Service (DoS) Security Risk</h3>
4192
4186
<dl><dt>Mitigation:</dt><dd>
4193
4187
Scripts should avoid heavy functional processing without prior successful
4194
4188
authentication of requestor. The set of recommended authentication mechanisms
0 commit comments