Article - CS326459
ThingWorx extension security
Modified: 17-Jun-2020
Applies To
- ThingWorx Platform 8.4 to 9.0
Description
- ThingWorx is a highly extensible Industrial IoT platform, the functionality of which can be enhanced through the use of "custom" (e.g. not provided as part of the ThingWorx platform) code
- This custom code generally can take several forms (please see the Importing Extensions section of the ThingWorx Help Center for more detail)
- In addition to other methods, application logic in ThingWorx can be written in JavaScript, which can be saved into the relevant entity and executed via the Rhino engine at runtime. This logic is commonly exported/transported via entity XML files.
- It is possible to accidentally introduce software vulnerabilities through the use of custom JavaScript, or, if downloading XML files from unknown sources, to load malicious code into the ThingWorx platform through such extensions.
- Even some commonly-used static analysis tools are unable to analyze JavaScript nested within an XML file
This is a printer-friendly version of Article 326459 and may be out of date. For the latest version click CS326459