-6

I am a newbie game maker that making some web games with the language of JS, HTML and CSS. But the problem is i can't prevent the right click inspect hacking thing, so a people hacked my games by using this method.

My question is, how can i prevent this method to not to being hacked...

Here is my game http://ozansiar.com/mario/oyunok.php

Here is the score page http://ozansiar.com/mario/skorekran.php as you can see it can be hacked...

Language is Turkish, sorry for not doing this in English, but i will.

Second question is, how can i improve my game developing? I heard that phaser is a good engine, so i'm doing a research for reach to some tutorials. But also, i need some good advices from you...

Sorry for my newbie questions, but i do need some good advices to improve my web development and also game development skills... Thanks so much!

Note : Games are made by what i learned from stackoverflow community... So also thank you very much for this.

Ozan Şiar Palik
  • 11
  • 5
  • You can't...... – epascarello May 07 '17 at 15:16
  • Well, then what can i do for avoid things like this. For example, what should i do for avoiding right click inspect and change the content thing? Do i need a game engine like phaser or what? – Ozan Şiar Palik May 07 '17 at 15:18
  • 3
    Don't trust **anything** sent from the client, or accept that the games can be hacked, or write them in another platform (not the browser). Everything else is just mitigation. – T.J. Crowder May 07 '17 at 15:18
  • It's most likely an XSS exploit (Google that term). You'd need to post your code, rather than people fetching from your website which won't help if this is also a php related issue. I for one will not be visiting your website. – Funk Forty Niner May 07 '17 at 15:19
  • I can look at what you send to the server and do not even need to look at your JavaScript. – epascarello May 07 '17 at 15:22
  • Should i Copy/paste all of the code here? It is like 30000 characters. – Ozan Şiar Palik May 07 '17 at 15:23
  • @T.J.Crowder Using alternative client software does only make the life of script kiddies a little bit harder. Network traffic can always be manipulated by many tools. So the one and only way is as you just said: "Don't trust anything sent from the client". – Pinke Helga May 07 '17 at 15:23
  • 4
    _"so a people hacked my games by using this method"_ No they didn't. Disabling right click will not add any security to your app. – Alex Howansky May 07 '17 at 15:24
  • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet --- [How to prevent XSS with HTML/PHP?](http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php) – Funk Forty Niner May 07 '17 at 15:25
  • Plus, if this is db-related and that you didn't use a prepared statement, then that too can contribute to a site getting hacked. – Funk Forty Niner May 07 '17 at 15:30
  • I guess there have been SQL injections. You should show some relevant snippet of your client data processing PHP code. – Pinke Helga May 07 '17 at 15:30
  • 3
    The second part of your question is opinion-based and not appropriate for Stack Overflow. – Scott Marcus May 07 '17 at 15:30
  • You've got an awful lot of probably unnecessarily open ports on your server, including a non-standard one (5960) that I don't recognize. You might be compromised at the server level. – Alex Howansky May 07 '17 at 15:32
  • @Alex Howansky sorry for this, i'm an amateur that learning developing from stackoverflow by reading the questions from past. – Ozan Şiar Palik May 07 '17 at 15:34

3 Answers3

2

Client-side code (HTML, CSS, JavaScript) is called "client-side" because it is downloaded to the client and executed there. There is absolutely nothing you can do to protect this code from users seeing it and modifying their local copy of it. Even storing your JavaScript in an external file and linking to it does not solve the issue. The same is true with obfuscation.

All protected code should exist on a secure server and execute there in a "server-side" architecture, such as .aspx, .PHP, .jsp, etc.

Scott Marcus
  • 64,069
  • 6
  • 49
  • 71
  • Can people inspect my game if i do it by phaser or another game engine? Should i embed the code to NodeJS or what? – Ozan Şiar Palik May 07 '17 at 15:26
  • This answer is correct and directly addresses the question (*My question is, how can i prevent this method to not to being hacked...*). It should not be down voted. – Scott Marcus May 07 '17 at 15:27
  • As I said, your code will need to execute in a "server-side" architecture. Which one you use depends on many circumstances. There is no one single solution. – Scott Marcus May 07 '17 at 15:28
  • So, do i need to write all of the codes in PHP's echo command for example? – Ozan Şiar Palik May 07 '17 at 15:30
  • Again, I can't say that what you "need" to do is .php - - that is just one of many server-side options. But, yes, users cannot modify what the .php file returns to the client. – Scott Marcus May 07 '17 at 15:32
0

So I just ran through the game and "hacked" it. The problem you have is that you use forms and hidden inputs to send the game results to the server, first when the user finishes the game you submit the time it took them, then on the second page you send their final score in a hidden input. Both of these can be easily modified by the user before they're submitted.

What you could do is create a checksum of the hidden values that you don't want the player to modify. After they're posted to the server, use the values to re-calculate the checksum in PHP, and if it doesn't match the checksum submitted by the browser, don't accept it.

This won't stop people from hacking your game, but it will make it more difficult. If they absolutely want to fake their score, they can look up the javascript function you use to generate the checksum on the client side and use that to generate a new one with the values they want, so it's not 100% secure.

As for the final score, I'd suggest you use a session for that. Your skor.php file generates a form with the final score in a hidden input. Why? Just dump it in a session property, and read that back in skorislendi.php. That way, the user won't be able to edit it.

rickdenhaan
  • 10,857
  • 28
  • 37
  • So, if i correctly understand your comment, are you saying avoiding from client side when recording scoring etc. is a bad idea? I'm ok with this. But how can i run server side my monsters in my game? Is this possible? With the inspect > modify method, my monsters also can be removed... How can i run my content on server side? Thanks. – Ozan Şiar Palik May 07 '17 at 16:09
  • I'm not sure how you'd run the monsters from the server. But, I noticed that if I remove the monsters, the console floods with errors. You could maybe catch those, and if a monster's element is removed just re-add it with javascript. – rickdenhaan May 07 '17 at 16:11
  • Thanks i will take a look to what are you said. As for running monsters server side, do i need Node JS? What i know from Node JS is, it is a client like server side language? Is this true? So, can it run monsters animatedly while handling the server part? Is this possible? Thanks. – Ozan Şiar Palik May 07 '17 at 16:13
  • Node.js is also server-side scripting, but in javascript instead of php. It is very good at keeping an open websocket with the client, so it would be possible to have the server calculate the monster's positions and send a continuous stream of coordinates for each monster over an open socket connection to the client. You could also send mario's coordinates from the client back to the server, and let the server decide when mario dies or the game is finished. But that would be a major rewrite of your game code. – rickdenhaan May 07 '17 at 16:18
  • Yes, when i create another game guess i will use Node Js method... Thank you so much again! So what i learned is, i can't animate my monsters with php so i cant run it from server side without Node Js yes? – Ozan Şiar Palik May 07 '17 at 16:20
  • You **can** do it with php but I personally wouldn't recommend it. There's an example of it [on PHPBuilder.com](http://www.phpbuilder.com/articles/application-architecture/optimization/creating-real-time-applications-with-php-and-websockets.html). I would personally use Node.js instead of PHP for any web application or game that requires continuous communication with the server, simply because it has better out-of-the-box support for it. – rickdenhaan May 07 '17 at 16:26
0

You can't prevent the client, i.e. the player, from hacking client side materials, i.e. client-side scripts, HTML and etc... Any legitimate actions that your scripts perform on the client side can be faked. At best, you can mitigate such hacks by obfuscating your JS code and post data. This makes it harder to hack but doesn't save you.

In the end, ask yourself this one question. Is security essential to my game? If it is, then worry about it. Otherwise, build what you can and from an agile point of view, add features, such as security, when NECESSARY.

EyuelDK
  • 3,029
  • 2
  • 19
  • 27