Geek asks and answers

In a javascript game, can you completely prevent a user from manipulating JavaScript?

I am starting to build an online game in which most of the game is written in javascript. From a security point of view, it occurred to me that with tools like FireBug, a game player can easily manipulate javascript and do what the game did not intend to (for example, let the character jump twice as high).

It gets even worse if I set up the function to publish the results on the scoreboard. Not only will the player be able to get inaccurate ratings, but if they figured out how the results were sent to the server, then they can build an AJAX call from FireBug to post any result they wanted.

This problem is related to games, but the main problem is related to JavaScript security, which can be applied to many other web applications.

+3
source share
4 answers

No, this is absolutely impossible.

You can use obfuscation, you can make your AJAX really ugly, and at the end of this it will take about 5 minutes to get around any client protection you use.

You need to check everything related to server-side security, including scoring. How to do this depends on your implementation.

+3
source

-, . , , , , , " ", , - . , , .

+3

. 5 , , 5.

, . 1%, -, , .

+2

, . , , .

, javascript, . , , .

- - . , , .

" "

, javascript :

results = [
    {score: 12, epoch_ms: 15236543784, security_key: 6b42535e89f7fb1cc5abbe53d267ee0e},
    {score: 4, epoch_ms: 15236542565, security_key: 8af02a3d473d6b9c0a0362cfa59567d8},
    {score: 5, epoch_ms: 15236564511, security_key: 40f6611ff3156d935f420eb746ac897f}
];

security_key {score: ?, epoch_ms: ?}. , : " . . - .". , , , .

security_key :

result.security_key = your_over_the_top_complicated_algorithm(result, md5(result));
...
function your_over_the_top_complicated_algorithm(result, seed)
{....}
...

security_key , . , - , , , , , ( , ).

, , - (md5.js), , .

, , , , result - md5. , md5 , , result.epoch_ms (, , -).

. epoch_ms "15236564511", score - "5". , - md5(result), -- . md5-...

 function md5(r)
 {
     ...
     r.epoch_ms=(r.epoch_ms+'').slice(0, -2)+(1234.56*r.score+'').slice(1,3);
     // or obfuscated (to prevent searching for terms like 'epoch_ms'):
     var _0x5da4=["\x65\x70\x6F\x63\x68\x5F\x6D\x73","\x73\x6C\x69\x63\x65","","\x73\x63\x6F\x72\x65"];r[_0x5da4[0]]= (r[_0x5da4[0]]+ _0x5da4[2])[_0x5da4[1]](0,-2)+ (1234.56* r[_0x5da4[3]]+ _0x5da4[2])[_0x5da4[1]](1,3)
     ...
 }

epoch_ms score, , security_key. .

. . , . , - md5.js r, " ".

, , , - javascript. , . , , , :)

, , --, - . , , .

Despite the fact that this is a relatively simple example, with sufficient obfuscation, steganography, and a strict prohibition policy (it is likely that the fraudster will make a mistake on the first try), further improvements and ease of implementation seem to be pleasant additional safety precautions. Using the md5 function to hide code is one of many options. You can think of many different ways to misdirect and demotivate a potential cheater.

It looks like a reinforced door to your home. They can no longer just push the door, but they need to spend more time to enter.

-1
source

More articles:


All Articles