-1

I need to build a web based (html/js) game where the user earns/scores points. At the end of the game, the user enters their details on a form and it, along with their score, are submitted to the server (via ajax post) to be stored in a database.

There is a leader board and prize element based on points ranking.

My question is, how can I prevent users from hacking this game? Im thinking that someone could easily alter the points/score values being posted to the server using the browser's dev tools or a web proxy like fiddler. The prize for this is fairly decent, so it would be worth someone's time to try to hack it.

Im looking for a solid solution to this, and not just some 'make it harder to hack' answer

MakkyNZ
  • 2,215
  • 5
  • 33
  • 53
  • try to make it partially serverside – el Dude Mar 28 '13 at 00:07
  • 4
    I don't see how this question is answerable in a Q&A setting, given that there are an unbounded number of possible attack vectors. – Robert Harvey Mar 28 '13 at 00:07
  • If the game runs on the client, there is no real solution, only security by obscurity. – nwellnhof Mar 28 '13 at 00:07
  • SSL isn't the answer here. Im talking about hacking the data before it gets sent to the server. (i.e before it is ssl encrypted) – MakkyNZ Mar 28 '13 at 00:07
  • @Robert Harvey: Are you saying it's unanswerable because there is no answer? There is no solution? – MakkyNZ Mar 28 '13 at 00:12
  • maybe some kind of encryption with public/private key, though the client would need to know the key so that would probably defeat the purpose – Daniel Powell Mar 28 '13 at 00:14
  • I am saying that I could imagine a [whole book answering your question](http://stackoverflow.com/faq#dontask). – Robert Harvey Mar 28 '13 at 00:16
  • possible duplicate of [JavaScript for online quiz?](http://stackoverflow.com/questions/13336159/javascript-for-online-quiz) and similar ones. **Do not trust the client!** – Bergi Mar 28 '13 at 00:25
  • @Bergi: it is similar to that question, but not quite the same, as a possible solution to that is to keep the answers to the quiz on the server and not in JS. My game does really have a 'correct answer' like a quiz. – MakkyNZ Mar 28 '13 at 00:30

2 Answers2

3

You need to write a function that sends player moves to the server throughout the game. Then on the server you need to check whether the move was possible.

You also you need to keep track of the game score throughout game and at the end of the game make sure the submitted values aren't much higher than your recorded values. You should allow some tolerance.

The actual code is very game specific.

Hope this helps

Thomas Oeser
  • 128
  • 1
  • 8
2

I don't know what type of game it is but you could add something that makes it so if you gain a certain amount in a short amount of time (that would be impossible unless hacking) that you cant enter a highscore. And make it server sided. To do the score limiting you would maybe make a function every move and if the score is over however much the maximum able to gain in 1 move, then it doesn't allow you to use highscores.

F F
  • 21
  • 3