473,543 Members | 2,065 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Javascript in the address bar

I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(val ue)

This is then queried against the top score for the day and if it is
higher than this is stored as the new highest score.

The problem is, I have discovered it is possible to hack this page by
writing

javascript:reco rdScore(12345)

(for example) in the address bar of the page.

Can anyone suggest a workaround to prevent this hack?

The page HTML is similar to that below

<html>
<head>
<script>
function recordScore(val ue)
{
if(value>m_intH ighScore)
{ recordNewHighSc ore(value) }
}
</script>
</head>
<body>
<object>
<!-- This is where the flash movie lives
This movie spits out the recordScore()
command when the user finishes. -->
</object>
</body>
</html>
Jul 20 '05 #1
7 22059
Andy Happ wrote:
I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(val ue)

This is then queried against the top score for the day and if it is
higher than this is stored as the new highest score.

The problem is, I have discovered it is possible to hack this page by
writing

javascript:reco rdScore(12345)

(for example) in the address bar of the page.

Can anyone suggest a workaround to prevent this hack?

Dump JavaScript and use either POST (although that's easily hacked as
well, you probably want to generate some unique code on the server for
each possible score upload and send that back to the server along with
the result) or XML sockets (quite a fancy Flash feature, of course you
will have to write server support for that) to make communication a bit
'more secure'...

Cheers,

Guido

Jul 20 '05 #2
ha*******@hotma il.com (Andy Happ) writes:
I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(val ue) .... The problem is, I have discovered it is possible to hack this page by
writing

javascript:reco rdScore(12345) Can anyone suggest a workaround to prevent this hack?


Not that works, no.

Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #3
> > Can anyone suggest a workaround to prevent this hack?

Not that works, no.

Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.

/L


How about have a javascript call which is simply recordScore() - this
would not pass an argument.

Inside the javascript recordScore() method this would could call the
Flash movie requesting a property LatestScore() which returned an
integer.

You'd then POST the data, querying the referrer page at the target
page?

Would that work?
Jul 20 '05 #4
ha*******@hotma il.com (Andy Happ) writes:
Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.
How about

.... Would that work?


At some point you send a score to the server. At that point, or some
time before, I can change what is being sent. It is harder to cheat if
everything is handled inside the flash code, but someone with
sufficient knowledge about flash and some good tools would still be
able to change the program. After all, it runs on his computer, in
his browser, and completely at his mercy.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #5
Lasse Reichstein Nielsen <lr*@hotpop.com > wrote in message
Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.


How about

...
Would that work?


At some point you send a score to the server. At that point, or some
time before, I can change what is being sent...After all, it runs on his computer, in
his browser, and completely at his mercy.

/L


Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.

////////////////
// 1. Old method
// Score was passed from the movie into the
// Javascript through an FSCommand event
function recordScore(sco re)
{
// we now check score to see if it is the highest
// if so, we pass it to the .asp page which deals
// recording it.
}

////////////////
// 2. New method
// Flash movie simply calls the recordScore
// method - it does NOT pass the score up
function recordScore()
{
// now we query the flash movie to see what the score was
var score;
score = document.getEle mentById("objFl ashMovie").getV ariable("LastSc ore");
// now we have the score and we pass this to the .asp
// page. NOTE that we query the referrer page here as a further
precaution.
}
Jul 20 '05 #6
ha*******@hotma il.com (Andy Happ) writes:
Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.
Try two minutes :)

Is this function in the page?

Because then I just press Alt-F3 to edit the source directly in the
cache, (e.g., "score="1594323 ;") save, and press Alt-V F to refresh
the browser window with my changes.

It will still be the same page, have the same URL, etc. It's just not
the code you expect.
function recordScore()
{
// now we query the flash movie to see what the score was
var score;
score = document.getEle mentById("objFl ashMovie").getV ariable("LastSc ore");


This function is a liability. I can change it to anything I want.

You can't trust the client! Any code you send to it can be changed.
Any code visible in the HTML file is trivial to change. If you put the
connection into the Flash file, then it'll be harder to hack (I
wouldn't be able to do it immediately, since I know nothing about
Flash).

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #7
> > Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.


Try two minutes :)


After showing Lasse the page in question in an another email to this
thread, he very quickly showed me THREE alternative hacks! Quickly
clocking up the highest score.

I stand corrected. My suggestion in my previous post made it
*slightly* more secure - but still badly insecure nevertheless.

Ah well, nevermind.
Jul 20 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
50875
by: Doug van Vianen | last post by:
I recently found the following JavaScript code which is supposed to let one find then use the ip address of the person accessing the web page containing the script. <SCRIPT LANGUAGE="JavaScript"> <!-- var ip = '<!--#echo var="REMOTE_ADDR"-->'; function ipval() { document.myform.ipadd.value=ip;
1
2687
by: lawrence | last post by:
This PHP function prints out a bunch of Javascript (as you can see). This is all part of the open source weblog software of PDS (www.publicdomainsoftware.org). We had this javascript stuff working, but it only worked for IE. You can see a working version here: http://www.publicpen.com/designer/mcControlPanel.php username: designer...
4
7279
by: Steph | last post by:
Hello, Can someone tell me the script to use for having a change on the same page when using checkbox function ? For example, i would to check one condition and display dynamically a button if the condition is checked on the same page. Thanks in advance for your help
5
1854
by: Tony Strazzeri | last post by:
Hi all, I a fairly new to html and Javascripting. I have been trying to write some code to hide my email address from spam harvesters. I copied the code from various web examples and modified it to suit me. The code to generate the address is in a js include file. I am using frontpage 2003 to create my web pages. My problem is that the...
4
5178
by: web_design | last post by:
I put this together from some other scripts I am using on a site. I'm trying to make a better email hiding script. It isn't working. Also, it causes Internet Explorer 6 SP2 to block the script as "active content". :( The idea is that if the user doesn't have JavaScript enabled, they will see an image of the email address (that can't be...
7
21274
by: Privacy Advocate | last post by:
//crossposted to: comp.lang.javascript, alt.comp.lang.javascript in an effort to get factual answers from JavaScript experts// Simply put; Is it possible to obtain the real (actual) IP address of someone (client) that visits a web site through an anonymous proxy if this person ONLY has JavaScript enabled in their browser? This is NOT a...
4
3494
by: John Boy | last post by:
Hi, Can anyone help. This is really doing my nut in. 3 years ASP exp. and now doing .DOT which is a step in the wrong direction. Basically I am left with the code of a guy who has left. When I click a button on a pop-up window the javascript for that button click does a 'button.form.submit'. On the Server side there is a Button click...
1
5264
by: cemcat | last post by:
Hello, We have an ASP.NET 2.0 (C#) web form that contains a textbox for users to enter multiple e-mail addresses separated by semicolons. We need to validate that each individual e-mail address entered is a valid e-mail address format. We've added a CustomValidator to perform this validation. We have the server-side validation working fine,...
3
2368
by: bloc | last post by:
I am programming an interactive CV using xml, xslt and java script. The page consists of a header which contains links to various 'sections' on the xml cv, a left and right menu, and a central panel. The central panel is intended to display the main content of the cv: when an anchor is selected from the header then the detail is supposed...
5
2924
by: Nike1984 | last post by:
I'm fairly new to Javascript and it's more of a guessing game for me... I'm trying to build an app for Google Maps and just had some issues recently. First off I just wanted to say that everything works fine in FF and IE. It's Chrome I'm having issues with. I understand that Chrome is still somewhat in beta stages, so some bugs might occur....
0
7594
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
1
7356
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
7697
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
5889
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5285
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
4899
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3394
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
1
979
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
648
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.