0

I am trying to build a puzzle game using HTML & JS. This is going to be a standalone HTML page. There isn't going to be a server side for this application.

Obviously, the game has an answer which the application will create at start time. Now, I wish to make this variable completely hidden i.e., not just hidden from user's view but also inaccessible to the user, even if he tries to read the page through Chrome's Developer Tools or such debug tools.

I'm looking for a solution using HTML5, JS ECMAScript 5+ & jQuery.

I remember reading something about Native HTML code (used for HTML File elements) which cannot be rendered/read even through Dev Tools. Is this any help?

Is there any way or strategy to achieve this?

NOTE: I am aware of <input type="hidden">. But that doesn't serve my purpose.

EDIT: As part of the game, the user makes attempts and the application needs to validate the user's input against this somehow-user-hidden answer variable. At this point, I believe there is no solution that's going to be completely airtight in the given constraints. Hence, I'm pursuing this from an academic interest. Does anyone have any other answers ?

Sarath Chandra
  • 1,850
  • 19
  • 40
  • keep it in the server – Redu Apr 30 '16 at 05:38
  • @Redu: My bad! I forgot to add it in the description. My app is going to be a standalone HTML page. No server involved. – Sarath Chandra Apr 30 '16 at 05:40
  • 1
    I'm not aware of anything that will do this. When it's on the user's computer there will always be a method to read it. It may be possible to prevent developer tools, but you can't possibly stop memory inspectors. – PeteB Apr 30 '16 at 05:41
  • 1
    You could place the answers into a JSON file then use Ajax to return true/false in the answer matched. –  Apr 30 '16 at 05:51

2 Answers2

2

Prehash your answer, hard code that into your page.

Then, when they submit their answer, run through whatever hashing pattern you did before hand, and compare the result.

It could theoretically be brute forced, of course.... if you had a few hundred years.

Javascript implementations of:

Edit:

An example would be:

  • Pattern: SHA-1(SHA-1(SHA-1(answer + salt)))
  • Salt: 982qx17wef7ddsbtxaewnsdufs (make something up, load it as an input type='hidden')
  • Result: (load it as an input type='hidden')
  • Request the answer
  • If SHA-1(SHA-1(SHA-1(attempt + salt))) === Result, they got it correct
Community
  • 1
  • 1
Ehryk
  • 1,930
  • 2
  • 27
  • 47
  • 1
    Clever! The security is going depend on the length/complexity of the answer though... for instance if the answer is a,b,c or d it would be easy to put those answers through the hashing code in your program and see which one matches. – PeteB Apr 30 '16 at 05:49
  • 1
    ... not as easy as 'inspect element' in dev tools, though. You can get more obscure about the pattern, though, and then obfuscate and minify your javascript to the point of it being quite difficult. What kind of security are you really aiming for here? Do they win money from you if they get it right? – Ehryk Apr 30 '16 at 05:53
  • There is no major incentive for hacking the answer. I was just academically curious if this could be achieved. – Sarath Chandra Apr 30 '16 at 06:44
  • 1
    How about you overwrite the 'checking the answer' function entirely (maybe just set it to null) after the initial check, so you get one answer attempt per page load? This would make it a ton of work to get exactly where you would be if you had just loaded the page and clicked a different option each load. – Ehryk Apr 30 '16 at 07:02
1

Your can hash your values using MD5.

https://github.com/blueimp/JavaScript-MD5#client-side

0xdw
  • 3,755
  • 2
  • 25
  • 40