473,721 Members | 2,067 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Javascript in the address bar

I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(val ue)

This is then queried against the top score for the day and if it is
higher than this is stored as the new highest score.

The problem is, I have discovered it is possible to hack this page by
writing

javascript:reco rdScore(12345)

(for example) in the address bar of the page.

Can anyone suggest a workaround to prevent this hack?

The page HTML is similar to that below

<html>
<head>
<script>
function recordScore(val ue)
{
if(value>m_intH ighScore)
{ recordNewHighSc ore(value) }
}
</script>
</head>
<body>
<object>
<!-- This is where the flash movie lives
This movie spits out the recordScore()
command when the user finishes. -->
</object>
</body>
</html>
Jul 20 '05 #1
7 22069
Andy Happ wrote:
I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(val ue)

This is then queried against the top score for the day and if it is
higher than this is stored as the new highest score.

The problem is, I have discovered it is possible to hack this page by
writing

javascript:reco rdScore(12345)

(for example) in the address bar of the page.

Can anyone suggest a workaround to prevent this hack?

Dump JavaScript and use either POST (although that's easily hacked as
well, you probably want to generate some unique code on the server for
each possible score upload and send that back to the server along with
the result) or XML sockets (quite a fancy Flash feature, of course you
will have to write server support for that) to make communication a bit
'more secure'...

Cheers,

Guido

Jul 20 '05 #2
ha*******@hotma il.com (Andy Happ) writes:
I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(val ue) .... The problem is, I have discovered it is possible to hack this page by
writing

javascript:reco rdScore(12345) Can anyone suggest a workaround to prevent this hack?


Not that works, no.

Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #3
> > Can anyone suggest a workaround to prevent this hack?

Not that works, no.

Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.

/L


How about have a javascript call which is simply recordScore() - this
would not pass an argument.

Inside the javascript recordScore() method this would could call the
Flash movie requesting a property LatestScore() which returned an
integer.

You'd then POST the data, querying the referrer page at the target
page?

Would that work?
Jul 20 '05 #4
ha*******@hotma il.com (Andy Happ) writes:
Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.
How about

.... Would that work?


At some point you send a score to the server. At that point, or some
time before, I can change what is being sent. It is harder to cheat if
everything is handled inside the flash code, but someone with
sufficient knowledge about flash and some good tools would still be
able to change the program. After all, it runs on his computer, in
his browser, and completely at his mercy.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #5
Lasse Reichstein Nielsen <lr*@hotpop.com > wrote in message
Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.


How about

...
Would that work?


At some point you send a score to the server. At that point, or some
time before, I can change what is being sent...After all, it runs on his computer, in
his browser, and completely at his mercy.

/L


Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.

////////////////
// 1. Old method
// Score was passed from the movie into the
// Javascript through an FSCommand event
function recordScore(sco re)
{
// we now check score to see if it is the highest
// if so, we pass it to the .asp page which deals
// recording it.
}

////////////////
// 2. New method
// Flash movie simply calls the recordScore
// method - it does NOT pass the score up
function recordScore()
{
// now we query the flash movie to see what the score was
var score;
score = document.getEle mentById("objFl ashMovie").getV ariable("LastSc ore");
// now we have the score and we pass this to the .asp
// page. NOTE that we query the referrer page here as a further
precaution.
}
Jul 20 '05 #6
ha*******@hotma il.com (Andy Happ) writes:
Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.
Try two minutes :)

Is this function in the page?

Because then I just press Alt-F3 to edit the source directly in the
cache, (e.g., "score="1594323 ;") save, and press Alt-V F to refresh
the browser window with my changes.

It will still be the same page, have the same URL, etc. It's just not
the code you expect.
function recordScore()
{
// now we query the flash movie to see what the score was
var score;
score = document.getEle mentById("objFl ashMovie").getV ariable("LastSc ore");


This function is a liability. I can change it to anything I want.

You can't trust the client! Any code you send to it can be changed.
Any code visible in the HTML file is trivial to change. If you put the
connection into the Flash file, then it'll be harder to hack (I
wouldn't be able to do it immediately, since I know nothing about
Flash).

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #7
> > Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.


Try two minutes :)


After showing Lasse the page in question in an another email to this
thread, he very quickly showed me THREE alternative hacks! Quickly
clocking up the highest score.

I stand corrected. My suggestion in my previous post made it
*slightly* more secure - but still badly insecure nevertheless.

Ah well, nevermind.
Jul 20 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
50897
by: Doug van Vianen | last post by:
I recently found the following JavaScript code which is supposed to let one find then use the ip address of the person accessing the web page containing the script. <SCRIPT LANGUAGE="JavaScript"> <!-- var ip = '<!--#echo var="REMOTE_ADDR"-->'; function ipval() { document.myform.ipadd.value=ip;
1
2703
by: lawrence | last post by:
This PHP function prints out a bunch of Javascript (as you can see). This is all part of the open source weblog software of PDS (www.publicdomainsoftware.org). We had this javascript stuff working, but it only worked for IE. You can see a working version here: http://www.publicpen.com/designer/mcControlPanel.php username: designer password: designer123 However, I've tried to rewrite this so it would work in all browsers,
4
7295
by: Steph | last post by:
Hello, Can someone tell me the script to use for having a change on the same page when using checkbox function ? For example, i would to check one condition and display dynamically a button if the condition is checked on the same page. Thanks in advance for your help
5
1863
by: Tony Strazzeri | last post by:
Hi all, I a fairly new to html and Javascripting. I have been trying to write some code to hide my email address from spam harvesters. I copied the code from various web examples and modified it to suit me. The code to generate the address is in a js include file. I am using frontpage 2003 to create my web pages. My problem is that the code works OK when I test it using Frontpage's 'Preview' but does not work when I display the page...
4
5186
by: web_design | last post by:
I put this together from some other scripts I am using on a site. I'm trying to make a better email hiding script. It isn't working. Also, it causes Internet Explorer 6 SP2 to block the script as "active content". :( The idea is that if the user doesn't have JavaScript enabled, they will see an image of the email address (that can't be read by email harvesting programs). If JavaScript is enabled, the image will be hidden and the...
7
21310
by: Privacy Advocate | last post by:
//crossposted to: comp.lang.javascript, alt.comp.lang.javascript in an effort to get factual answers from JavaScript experts// Simply put; Is it possible to obtain the real (actual) IP address of someone (client) that visits a web site through an anonymous proxy if this person ONLY has JavaScript enabled in their browser? This is NOT a question about PHP, perl, VBScript, Java(.class), or ActiveX. Let us _only_ deal with JavaScript for...
4
3513
by: John Boy | last post by:
Hi, Can anyone help. This is really doing my nut in. 3 years ASP exp. and now doing .DOT which is a step in the wrong direction. Basically I am left with the code of a guy who has left. When I click a button on a pop-up window the javascript for that button click does a 'button.form.submit'. On the Server side there is a Button click event for this button, but for some reason it no longer fires. It worked fine before and everything...
1
5270
by: cemcat | last post by:
Hello, We have an ASP.NET 2.0 (C#) web form that contains a textbox for users to enter multiple e-mail addresses separated by semicolons. We need to validate that each individual e-mail address entered is a valid e-mail address format. We've added a CustomValidator to perform this validation. We have the server-side validation working fine, but now we need to add some client-side validation via JavaScript. We are having difficulties...
3
2380
by: bloc | last post by:
I am programming an interactive CV using xml, xslt and java script. The page consists of a header which contains links to various 'sections' on the xml cv, a left and right menu, and a central panel. The central panel is intended to display the main content of the cv: when an anchor is selected from the header then the detail is supposed to appear. The javascript is supposed to select the appropriate section 'onclick' and output it....
5
2938
by: Nike1984 | last post by:
I'm fairly new to Javascript and it's more of a guessing game for me... I'm trying to build an app for Google Maps and just had some issues recently. First off I just wanted to say that everything works fine in FF and IE. It's Chrome I'm having issues with. I understand that Chrome is still somewhat in beta stages, so some bugs might occur. However this seems like something I might have done. So... I used a code that I found on Econym as...
0
8736
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9373
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9227
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
6676
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5992
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4497
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4761
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3206
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2590
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.