2

Imagine you have a simple JavaScript function like this:

function something() {
    console.log("You called that function");
}

You can ofcourse include the Script file into your HTML file and call the function. The problem is that JavaScript is clientside and so everybody can call this function using the google chrome adress input or the firefox console for example.

How can i prevent that? If you implement a game or something where user can be in a scorerlist or something it is easy to manipulate this scorerlist for example.

Mulgard
  • 9,877
  • 34
  • 129
  • 232
  • 6
    You can't. That is why it is important to also do server validation. You could try code obfuscation, but it's not foolproof. – Dave Jul 17 '15 at 14:34
  • server validation? How could i check if someone is allowed to call the function on a server? – Mulgard Jul 17 '15 at 14:35
  • as in, when a user submits a form, the data would be sent to the server for backside processing. It is here you need to validate and sanitize all inputs from the user. – Snappawapa Jul 17 '15 at 14:37
  • For form validation, think of it this way: Client-side validation should be in place to help and assist the user in filling out the form correctly. Server-side validation should be in place to ensure that the filled out form is _actually_ valid with how you're handling the data. Client-side validation is not necessary, but useful. Server-side validation **IS** necessary. – Jazcash Jul 17 '15 at 14:46
  • @Mulgard server `session`. – brso05 Jul 17 '15 at 14:52

3 Answers3

8

How can I prevent that?

You can't.

Everything you do client side must be considered unsafe. Never assume something is checked or valid because it passed some client side checks. You should always use server side validation for every check you do client side. Always!

If you implement a game or something where user can be in a scorerlist or something it is easy to manipulate this scorerlist for example.

Yes, on that client. So why do you care? The scores should be calculated server side, so changing the UI client side doesn't help anything.

Let Jon Skeet get scared!

yes

Patrick Hofman
  • 153,850
  • 22
  • 249
  • 325
  • But i dont really understand how i can see which code is client side and which is serverside. i need some file at the server which is able to get informations from the client side javascript and validate. is that right? – Mulgard Jul 17 '15 at 14:39
  • Everything in PHP, ASP.NET, NodeJS (which uses the Javascript programming language too) or any other server programming environment is server side, Javascript, CSS, HTML are client side. – Patrick Hofman Jul 17 '15 at 14:40
  • Javascript can be server side (Node.js). – Jazcash Jul 17 '15 at 14:41
  • So i could also try to make everything in php instead of javascript. – Mulgard Jul 17 '15 at 14:42
  • Yes, always double-check the input from the client. – Patrick Hofman Jul 17 '15 at 14:42
2

Actually, you will need some server validation if you want to make things safe. Everything what you do in JS, is unsafe and can be "accessed" by a final user. Anyway, if you want to have some function that aren't usable from the console, you could think about using Module Pattern and create your functions inside your namespaces and only make public the one you want. For example, you could do something like:

var GAME = (function(){
  var private1, privatePublic;
  private1 = function() {
    //This won't be accessible from outside
  };
  privatePublic = function() {
    console.log("public");
    //This will be accessible from outside because i am going to return it
  };
  return {
    getPrivatePublic: privatePublic 
  }
}());
GAME.getPrivatePublic(); // will log "public"
GAME.private(); // Will throw error

This way, you are "hiding" your code from being used from the console. Anyway, as mentioned in my first lines, it is not safe and everything can be accessed by an user who has JS knowledge.

Mindastic
  • 4,023
  • 3
  • 19
  • 20
1

This is why you add backend code on your server side to test for anyone cheating. There is nothing stopping them in a JavaScript game from injecting functions and modules.

Rule #1 for any online multiplayer games: Never trust the client.

Rule #2 for any online multiplayer games: Never trust the client.

This is why most JavaScript games rely heavily on a server state, to prevent cheats. So you would have to make ALL of your computations server side.

Some things you could do:

  1. check client reaction time to changes on the server, check for too many too fast reactions.

  2. Store the games internal state sever side and check the input send by clients on the server.

  3. You can also obfuscate Javascript. How can I obfuscate (protect) JavaScript?

You would also have to go the Diablo 3 Path.

  • buy checks - If I am buying something, I should have enough gold
  • sell checks - If I am selling something, I need to have that item in my inventory
  • damage checks - If I am attacking something (enemy), I can't hit more than the maximum damage my weapon could(here you should not expect the client to tell which weapon he has used because it should have been persisted earlier) ... and so on
Community
  • 1
  • 1
Darren Willows
  • 2,053
  • 14
  • 21
  • More like rule for anything, ever. – Jazcash Jul 17 '15 at 14:41
  • It should be noted that javascript obfuscation is almost trivial to circumvent, I would argue that some programmers code is obfuscated by default so any decent programmer is already able to read it. – Wolph Jul 17 '15 at 14:50