Security
From WarfishWiki
JSON/Javascript Security [back to top]
While there are probably countless JSON/Javascript exploits, Warfish will try to provide as secure a system as possible. Here are the two common exploits that are addressed:
Using cross-site scripting to retrieve information from Warfish. The perpetrator inserts some javascript code into a Warfish form, for example as thier in-game handle. Then when other players view this page this piece of javascript code being served from the warfish.net domain can steal information like their cookie and transmit (for example via a src=) it back to the perpetrator. This way the perpetrator could retrieve privileged information and/or login to another user's account. Warfish addresses this exploit by encoding all user inputted content before display, if you see a place this is not happenningor have other suggestons regarding this please contact support.
Using JSON and a link to a third party website to tamper with an account. The perpetrator sets up a webpage including references to the Warfish cookie-authenticated JSON APIs. Then the perpetrator tricks an unsuspecting Warfish user into viewing the "bad webpage" (perhaps by sending it via email or posting it to an in-game message board). When the victim follow the link the "bad webpage" makes JSON calls to Warfish which are properly authenticated using the victim's cookie (since they are being served directly to the victim's browser) giving the "bad webpage"'s javascript access to any of the data that returns from the apis. In the temporary auth scheme (see above) Warfish addresses this exploit by making the XML/JSON Apis available on a user by user requested basis, so that the only people who are vulnerable to this exploit are those who are enabled (be aware of this vulnerability when you request to have your account enabled). Once a proper auth scheme is setup using authenticated APPids each user will have to explicitly give permission to applications they wish to have access to their information.
Please contact feedback if you are aware of others that Warfish should address or if you notice other security problems.
