473,320 Members | 1,950 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Javascript in the address bar

I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(value)

This is then queried against the top score for the day and if it is
higher than this is stored as the new highest score.

The problem is, I have discovered it is possible to hack this page by
writing

javascript:recordScore(12345)

(for example) in the address bar of the page.

Can anyone suggest a workaround to prevent this hack?

The page HTML is similar to that below

<html>
<head>
<script>
function recordScore(value)
{
if(value>m_intHighScore)
{ recordNewHighScore(value) }
}
</script>
</head>
<body>
<object>
<!-- This is where the flash movie lives
This movie spits out the recordScore()
command when the user finishes. -->
</object>
</body>
</html>
Jul 20 '05 #1
7 22041
Andy Happ wrote:
I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(value)

This is then queried against the top score for the day and if it is
higher than this is stored as the new highest score.

The problem is, I have discovered it is possible to hack this page by
writing

javascript:recordScore(12345)

(for example) in the address bar of the page.

Can anyone suggest a workaround to prevent this hack?

Dump JavaScript and use either POST (although that's easily hacked as
well, you probably want to generate some unique code on the server for
each possible score upload and send that back to the server along with
the result) or XML sockets (quite a fancy Flash feature, of course you
will have to write server support for that) to make communication a bit
'more secure'...

Cheers,

Guido

Jul 20 '05 #2
ha*******@hotmail.com (Andy Happ) writes:
I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(value) .... The problem is, I have discovered it is possible to hack this page by
writing

javascript:recordScore(12345) Can anyone suggest a workaround to prevent this hack?


Not that works, no.

Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #3
> > Can anyone suggest a workaround to prevent this hack?

Not that works, no.

Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.

/L


How about have a javascript call which is simply recordScore() - this
would not pass an argument.

Inside the javascript recordScore() method this would could call the
Flash movie requesting a property LatestScore() which returned an
integer.

You'd then POST the data, querying the referrer page at the target
page?

Would that work?
Jul 20 '05 #4
ha*******@hotmail.com (Andy Happ) writes:
Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.
How about

.... Would that work?


At some point you send a score to the server. At that point, or some
time before, I can change what is being sent. It is harder to cheat if
everything is handled inside the flash code, but someone with
sufficient knowledge about flash and some good tools would still be
able to change the program. After all, it runs on his computer, in
his browser, and completely at his mercy.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #5
Lasse Reichstein Nielsen <lr*@hotpop.com> wrote in message
Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.


How about

...
Would that work?


At some point you send a score to the server. At that point, or some
time before, I can change what is being sent...After all, it runs on his computer, in
his browser, and completely at his mercy.

/L


Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.

////////////////
// 1. Old method
// Score was passed from the movie into the
// Javascript through an FSCommand event
function recordScore(score)
{
// we now check score to see if it is the highest
// if so, we pass it to the .asp page which deals
// recording it.
}

////////////////
// 2. New method
// Flash movie simply calls the recordScore
// method - it does NOT pass the score up
function recordScore()
{
// now we query the flash movie to see what the score was
var score;
score = document.getElementById("objFlashMovie").getVariab le("LastScore");
// now we have the score and we pass this to the .asp
// page. NOTE that we query the referrer page here as a further
precaution.
}
Jul 20 '05 #6
ha*******@hotmail.com (Andy Happ) writes:
Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.
Try two minutes :)

Is this function in the page?

Because then I just press Alt-F3 to edit the source directly in the
cache, (e.g., "score="1594323;") save, and press Alt-V F to refresh
the browser window with my changes.

It will still be the same page, have the same URL, etc. It's just not
the code you expect.
function recordScore()
{
// now we query the flash movie to see what the score was
var score;
score = document.getElementById("objFlashMovie").getVariab le("LastScore");


This function is a liability. I can change it to anything I want.

You can't trust the client! Any code you send to it can be changed.
Any code visible in the HTML file is trivial to change. If you put the
connection into the Flash file, then it'll be harder to hack (I
wouldn't be able to do it immediately, since I know nothing about
Flash).

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #7
> > Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.


Try two minutes :)


After showing Lasse the page in question in an another email to this
thread, he very quickly showed me THREE alternative hacks! Quickly
clocking up the highest score.

I stand corrected. My suggestion in my previous post made it
*slightly* more secure - but still badly insecure nevertheless.

Ah well, nevermind.
Jul 20 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: Doug van Vianen | last post by:
I recently found the following JavaScript code which is supposed to let one find then use the ip address of the person accessing the web page containing the script. <SCRIPT...
1
by: lawrence | last post by:
This PHP function prints out a bunch of Javascript (as you can see). This is all part of the open source weblog software of PDS (www.publicdomainsoftware.org). We had this javascript stuff...
4
by: Steph | last post by:
Hello, Can someone tell me the script to use for having a change on the same page when using checkbox function ? For example, i would to check one condition and display dynamically a button...
5
by: Tony Strazzeri | last post by:
Hi all, I a fairly new to html and Javascripting. I have been trying to write some code to hide my email address from spam harvesters. I copied the code from various web examples and modified...
4
by: web_design | last post by:
I put this together from some other scripts I am using on a site. I'm trying to make a better email hiding script. It isn't working. Also, it causes Internet Explorer 6 SP2 to block the script...
7
by: Privacy Advocate | last post by:
//crossposted to: comp.lang.javascript, alt.comp.lang.javascript in an effort to get factual answers from JavaScript experts// Simply put; Is it possible to obtain the real (actual) IP address of...
4
by: John Boy | last post by:
Hi, Can anyone help. This is really doing my nut in. 3 years ASP exp. and now doing .DOT which is a step in the wrong direction. Basically I am left with the code of a guy who has left. When I...
1
by: cemcat | last post by:
Hello, We have an ASP.NET 2.0 (C#) web form that contains a textbox for users to enter multiple e-mail addresses separated by semicolons. We need to validate that each individual e-mail address...
3
by: bloc | last post by:
I am programming an interactive CV using xml, xslt and java script. The page consists of a header which contains links to various 'sections' on the xml cv, a left and right menu, and a central...
5
by: Nike1984 | last post by:
I'm fairly new to Javascript and it's more of a guessing game for me... I'm trying to build an app for Google Maps and just had some issues recently. First off I just wanted to say that everything...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.