Safest way to update game score from client to server database? Javascript - Stack Overflow

admin管理员组

文章数量:1253099

So I have this game that is pletely run on the client. No server interaction what so ever apart from downloading the initial scripts to play the game. Anyway at the end of the game I would like for the client to send me back the scores which should be updated in the server database. Now I have e to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered. But I would like to know till what level can I modify the whole process that it virtually bees pretty infeasible for the hacker manipulate the data which is being sent. For sure I would not like the score to be sent as plain text from client machine and I don't want my server to perform plex decryption algorithm. What is the best way hence to achieve considerable amount of security that every tom dick and harry doesn't hack the scores... I hope someone could provide a nice little way that I could work on... :) Thanks

So my ideal result should be -> have trusted result from a calculation (of score) made by an untrusted party (the player)!

-Edit-

Someone told me something about hiding the data in a picture get request. Like, I am implementing this game on canvas (html5). So he asked me at the end of the game to fetch a game over image from my server, and they request should contain the hashed score. I did not exactly understand the plete process but if you could explain it, would be really glad! :)

coda^ so you can mask the requests nicely

shouvik how do I do it!?

coda^ you can pose the checksum you want to submit. like 12312312a12313a232 is your md5 which contains the score. bring in an asset into the canvas like

coda^ server/images/md5_hash_of_score/congratulations.png

coda^ which you can rewrite server side via htaccess

So I have this game that is pletely run on the client. No server interaction what so ever apart from downloading the initial scripts to play the game. Anyway at the end of the game I would like for the client to send me back the scores which should be updated in the server database. Now I have e to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered. But I would like to know till what level can I modify the whole process that it virtually bees pretty infeasible for the hacker manipulate the data which is being sent. For sure I would not like the score to be sent as plain text from client machine and I don't want my server to perform plex decryption algorithm. What is the best way hence to achieve considerable amount of security that every tom dick and harry doesn't hack the scores... I hope someone could provide a nice little way that I could work on... :) Thanks

So my ideal result should be -> have trusted result from a calculation (of score) made by an untrusted party (the player)!

-Edit-

Someone told me something about hiding the data in a picture get request. Like, I am implementing this game on canvas (html5). So he asked me at the end of the game to fetch a game over image from my server, and they request should contain the hashed score. I did not exactly understand the plete process but if you could explain it, would be really glad! :)

coda^ so you can mask the requests nicely

shouvik how do I do it!?

coda^ you can pose the checksum you want to submit. like 12312312a12313a232 is your md5 which contains the score. bring in an asset into the canvas like

coda^ server./images/md5_hash_of_score/congratulations.png

coda^ which you can rewrite server side via htaccess

• javascript
• database
• client-server
• cryptography
• scoring

Share Improve this question Follow edited Jun 20, 2020 at 9:12 CommunityBot 111 silver badge asked Jan 19, 2011 at 8:32 ShouvikShouvik 11.7k1717 gold badges6060 silver badges8989 bronze badges 2

• This is more or less the same problem as stackoverflow./questions/1901352/… – Quentin Commented Jan 19, 2011 at 8:53
• @David, no this is pretty different! I have no problems with him trying to screw with my game as he plays it alone.. So let him do whatever the hell he would like to. If he messed with the scoring, I have an adaptive algo on my server which checks if the score can be reasonably achieved, if not USER IS BANNED! But I would not like it to be to easy, like just modding the ajax post... – Shouvik Commented Jan 19, 2011 at 9:05

Add a ment  | 

5 Answers 5

Sorted by: Reset to default 6

You seem to know this already, but just to stress; you cannot stop someone doing this; you can only make it as hard as possible!

Assume you currently submit the score as:

/submit_score.php?score=5

Someone watching in Firebug can easily distinguish where the score is submitted, and to alter it. submit_score.php gives it away, as does the name of the parameter. The score is a easily distinguishable integer.

1. Change the end point: /interaction.php?score=5
2. Change the parameter name: /interaction.php?a=5

It's getting harder for the user to work out what is going on.

Now you can make the score harder (again, harder, not impossible), to change. First, you can encrypt it (obviously you'll need to be able to decrpt it later).

1. Base 64 encode it.
2. Numbers -> Letters (1=a, 2=b, etc).
3. Reverse the order of the score representation.

You name it, you do it. So you now have interaction.php?a=e.

The next thing you can do is hash the score with something else. Send the hash with the score, and recalculate it on the server. For example, md5() the score with a random string, and send the score (encoded), the string, and the hash in the request:

/interaction.php?a=e&str=abcde&hash=123456789abcefbc

When the request hits the server, do:

if (md5($_GET['a'] . $_GET['str']) !== $_GET['hash']) exit;

Obviously people can (relatively) easily go through your JavaScript code and see what's going on; so make it harder for them there. Minify and Obfuscate the code.

If you make it hard enough for someone, they're going to try understand your JavaScript, try using Firebug, not understand what's going on, and not bother; for the sake of getting a few extra points on your game.

Use something like OAuth to authorize the request from client to server. The header contains a token which matches to the body of the request. if these two doesn't match, then discard the request. Don't need to decrypt at server side, instead encrypt the body and check if the result obtained at server side and the token matches the same to find if the body was modified

"Now I have e to accept the fact that there is no way on earth I can hide this from a hacker and send the scores unaltered."

Oh yes, there is!

You can use RSA or any other public key encryption method (also called assymetric cryptography).

Create a set of (public and private) keys for the server. Have your client code include your server's public key.

At the end of the game, the client code, encrypts the score (with this key) and sends both (plain score and encrypted score) to server.

Server decrypts and checks if plain score and decrypted one are same. If yes, accept score. If not, reject (there's a hacker or network error in the middle).

-------UPDATE-----------CORRECTION--------------

As Ambrosia, pointed out, my approach fails pletely with this kind of attack.

What you actually want is to have a trusted result from a calculation (of score) made by an untrusted party (the player). No easy way to achieve this.

See this: http://coltrane.wiwi.hu-berlin.de/~fis/texts/2003-profit-untrust.pdf

Also this one: http://www.cse.psu.edu/~snarayan/publications/secureputation.pdf

And this (which needs a subscription to the ACM digital library): http://portal.acm/citation.cfm?id=643477.643479

Can you use ajax to send the score (and any identifiers) to the server? Unless they have something like firebug open they won't see it happening.

var url = '/savescores.asp?userID=fredsmith&score=1098';
createRequest();
request.open('GET', url, true);
etc

Make the client send you the credentials (or some sort of session information in case you don't have logon credentials) and do that over SSL (https). This way you have both authentication and integrity control. Very easy and extremely lightweight for both server and client.

本文标签： Safest way to update game score from client to server database JavascriptStack Overflow