3

I've created a trivial game using JavaScript and AngularJS. While presenting it to my team today, a team member hacked the code and won the game because of it.

The idea is that each player clicks a button to generate a random number between 1-100. Tom (screenshot below), put a breakpoint in the JavaScript and changed the number to 99 each time.

Is there a way to prevent this? From what I've heard, and from some googling, it appears that it's not possible to prevent this; a trip to the server needs to be made so that the random number can be generated there.

Is that right? Do I need to change my game to make a server call for every generation of a random number? If so, is there at least some way to make it extremely difficult to hack within the browser? Using JavaScript and AngularJS, it was nice to have this all on the front end; it was quick and easy.

enter image description here

Bob Horn
  • 33,387
  • 34
  • 113
  • 219
  • 4
    It's not possible. Get the server side to do a bit more work. – Ven Jun 16 '14 at 18:40
  • 1
    "Hacked" being a very loosely used term - any code that resides on the client can run the risk of being modified - preventative measures include miniying and obfuscating your client code - but as a general rule of thumb - if it needs to be 100% secure, do it on the server. – tymeJV Jun 16 '14 at 18:40
  • I'd attempt to obfuscate the code and make it all a single line. It's still hackable though, but you'd need more advanced tools. Otherwise than that, you'll have to create the number at server-side. – Matias Cicero Jun 16 '14 at 18:42
  • 1
    Note that a trip to the server alone may not solve this problem. He could always put a breakpoint in the success from that trip and alter it there. The outcome of the game needs to be determined by the server without client input. – Kevin B Jun 16 '14 at 18:43
  • Yeah, you can generate at the server side, as suggested. But if you're still using JS to actually make use of that number, it can always be intercepted anyway. I have an interesting suggestion. Choose the number once. Set it to another Var. Then before you actually USE it, compare it to the original chosen number. If they don't match, it was hacked. – durbnpoisn Jun 16 '14 at 18:54
  • @durbnpoisn But couldn't the user just hack that original number in the first place? – Bob Horn Jun 16 '14 at 18:57
  • @KevinB So if the number can be altered even when getting it from the server, how would I prevent it from being hacked? – Bob Horn Jun 16 '14 at 18:58
  • I'm going along the lines of doing it on the server side. They can't hack that number. So compare your final JS number to the one that was passed in. Or go really fancy, and encrypt the number somehow. Let's see them beat that. – durbnpoisn Jun 16 '14 at 19:00
  • @BobHorn by having the client simply display the result. You however can't stop them from altering what is displayed on their own browser. All you can do is ensure that the correct result is stored on the server. – Kevin B Jun 16 '14 at 19:04
  • 1
    @KevinB Ah, so the actual number, total score, etc., is all on the server. Even if a user changed the number to be displayed, it wouldn't change the result of the game itself. Thanks! – Bob Horn Jun 16 '14 at 19:05

2 Answers2

2

You can minify your javascript, and that might help a bit, but technically there's no way. You need to move some of your logic server-side, where it can be validated.

Carlos Rodriguez
  • 2,190
  • 2
  • 18
  • 29
2

The best way to prevent this is to have a call to a server and record the value you send out to the client so you can validate it, this is the only foolproof way of really achieving this.

However you can take some steps to make it really difficult to do client side. If you were to minify you're JavaScript code (and possibly obfuscate all the method names too) this is going to make it really hard to understand what its doing and to set a breakpoint at the correct point.

As an example, in Chrome I've got only 4 lines to choose from to break in jquery.min.js. If I want to edit the section highlighted, this is virtually impossible without sending this code through a deminification process or redirecting to different JavaScript using a tool like fiddler.

enter image description here

Ian
  • 33,605
  • 26
  • 118
  • 198
  • 1
    But call to a server via script can also be manipulated :) , because that will also be the javascript – Chetan Jul 10 '17 at 06:05