470,648 Members | 1,672 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,648 developers. It's quick & easy.

Javascript in the address bar

I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(value)

This is then queried against the top score for the day and if it is
higher than this is stored as the new highest score.

The problem is, I have discovered it is possible to hack this page by
writing

javascript:recordScore(12345)

(for example) in the address bar of the page.

Can anyone suggest a workaround to prevent this hack?

The page HTML is similar to that below

<html>
<head>
<script>
function recordScore(value)
{
if(value>m_intHighScore)
{ recordNewHighScore(value) }
}
</script>
</head>
<body>
<object>
<!-- This is where the flash movie lives
This movie spits out the recordScore()
command when the user finishes. -->
</object>
</body>
</html>
Jul 20 '05 #1
7 21934
Andy Happ wrote:
I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(value)

This is then queried against the top score for the day and if it is
higher than this is stored as the new highest score.

The problem is, I have discovered it is possible to hack this page by
writing

javascript:recordScore(12345)

(for example) in the address bar of the page.

Can anyone suggest a workaround to prevent this hack?

Dump JavaScript and use either POST (although that's easily hacked as
well, you probably want to generate some unique code on the server for
each possible score upload and send that back to the server along with
the result) or XML sockets (quite a fancy Flash feature, of course you
will have to write server support for that) to make communication a bit
'more secure'...

Cheers,

Guido

Jul 20 '05 #2
ha*******@hotmail.com (Andy Happ) writes:
I have a website which includes a Flash game. Upon the game ending the
Flash object fires off the javascript method:

recordScore(value) .... The problem is, I have discovered it is possible to hack this page by
writing

javascript:recordScore(12345) Can anyone suggest a workaround to prevent this hack?


Not that works, no.

Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #3
> > Can anyone suggest a workaround to prevent this hack?

Not that works, no.

Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.

/L


How about have a javascript call which is simply recordScore() - this
would not pass an argument.

Inside the javascript recordScore() method this would could call the
Flash movie requesting a property LatestScore() which returned an
integer.

You'd then POST the data, querying the referrer page at the target
page?

Would that work?
Jul 20 '05 #4
ha*******@hotmail.com (Andy Happ) writes:
Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.
How about

.... Would that work?


At some point you send a score to the server. At that point, or some
time before, I can change what is being sent. It is harder to cheat if
everything is handled inside the flash code, but someone with
sufficient knowledge about flash and some good tools would still be
able to change the program. After all, it runs on his computer, in
his browser, and completely at his mercy.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #5
Lasse Reichstein Nielsen <lr*@hotpop.com> wrote in message
Anything the game can do, the user can simulate. That is the most
fundamental rule of client-server games: You can't trust the client.


How about

...
Would that work?


At some point you send a score to the server. At that point, or some
time before, I can change what is being sent...After all, it runs on his computer, in
his browser, and completely at his mercy.

/L


Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.

////////////////
// 1. Old method
// Score was passed from the movie into the
// Javascript through an FSCommand event
function recordScore(score)
{
// we now check score to see if it is the highest
// if so, we pass it to the .asp page which deals
// recording it.
}

////////////////
// 2. New method
// Flash movie simply calls the recordScore
// method - it does NOT pass the score up
function recordScore()
{
// now we query the flash movie to see what the score was
var score;
score = document.getElementById("objFlashMovie").getVariab le("LastScore");
// now we have the score and we pass this to the .asp
// page. NOTE that we query the referrer page here as a further
precaution.
}
Jul 20 '05 #6
ha*******@hotmail.com (Andy Happ) writes:
Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.
Try two minutes :)

Is this function in the page?

Because then I just press Alt-F3 to edit the source directly in the
cache, (e.g., "score="1594323;") save, and press Alt-V F to refresh
the browser window with my changes.

It will still be the same page, have the same URL, etc. It's just not
the code you expect.
function recordScore()
{
// now we query the flash movie to see what the score was
var score;
score = document.getElementById("objFlashMovie").getVariab le("LastScore");


This function is a liability. I can change it to anything I want.

You can't trust the client! Any code you send to it can be changed.
Any code visible in the HTML file is trivial to change. If you put the
connection into the Flash file, then it'll be harder to hack (I
wouldn't be able to do it immediately, since I know nothing about
Flash).

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'
Jul 20 '05 #7
> > Well thanks for all of your comments chaps, in the end I *have* solved
the original hack. Whether this is rock solid or whether I'll get
hacked 2 months down the line time will tell.


Try two minutes :)


After showing Lasse the page in question in an another email to this
thread, he very quickly showed me THREE alternative hacks! Quickly
clocking up the highest score.

I stand corrected. My suggestion in my previous post made it
*slightly* more secure - but still badly insecure nevertheless.

Ah well, nevermind.
Jul 20 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

7 posts views Thread by Doug van Vianen | last post: by
4 posts views Thread by Steph | last post: by
5 posts views Thread by Tony Strazzeri | last post: by
4 posts views Thread by web_design | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.