2

After working strenuously on a project using AJAX + PHP designing a matching quiz game, I learned that the learning suite that my company uses to distribute its products does not let me run server-side scripts on the backend to check answers securely. This is all due to an unfortunate hierarchical autocracy.

Long story short, I have to somehow check answers on the client side (or figure out something tricky). Luckily, I have been able to upload jQuery to the local folder structure so I can use that.

What is the most secure method for checking clients' answers on the client-side? Or is there some way to reference an external file...like an XML file or something, to check the answers more securely?

Don
  • 863
  • 1
  • 8
  • 22
freedomflyer
  • 2,431
  • 3
  • 26
  • 38
  • 7
    The browser user has complete control of what happens there. **Complete** control. The only way to securely carry out any sort of verification is on a secured server. – Pointy Aug 02 '12 at 16:14
  • 2
    So you wrote it in PHP - but you can't use PHP. Is the tag necessary? – Mike B Aug 02 '12 at 16:15
  • I'm just curious, what are the consequences if somebody cheats on a matching quiz game? Will anything bad actually happen? – Peter Olson Aug 02 '12 at 16:22
  • @PeterOlson yes - for obvious reasons cheating is bad both for the student and our company. – freedomflyer Aug 02 '12 at 16:27

2 Answers2

5

OK, if you really want and need to do everything in JS, here is how I would do it:

  • Don't store the right answers as plaintext, use some sort of hashing.
  • Hide the answers object and the hash function in a closure so that they can't be called via the browser's js console.
  • Add some asynchronous part in the checking process, e.g. a simple timeout. Use that throttling code against bruteforcing the form by programmatically checking answers and looking for the result objects.
  • Obfuscate the code. Security through obscurity is never a good concept, but it could prevent eventual hackers from directly copying the relevant parts out of your code.

However, it still is unclear how you send the results to the server to store them. If that part can easily be faked, you are lost.

Community
  • 1
  • 1
Bergi
  • 630,263
  • 148
  • 957
  • 1,375
2

The only thing I can think of is obfuscating your code. This process is also known is minifying it. If you do this your code will be harder to read and thus marginally more difficult to hack. It does not make it unhackable, but it makes life slightly more difficult for those who wish to cheat. You have several options:

I think that covers all of the main ones, but if you know of any more that I haven't mentioned, please leave a comment below.

Related question to this answer: Is there a good JavaScript minifier?

Community
  • 1
  • 1
starbeamrainbowlabs
  • 5,692
  • 8
  • 42
  • 73