3

I'm creating a tampermonkey userscript that sends a POST request from a website containing the user's high score. Something like this for example:

$.post('https://example.com/scores', {
    id: 123, high_score: 999,
});

However, the issue is it's very easy for users to forge a fake score and send their own POST request with a fake high_score. Would there be a way to somehow authenticate these requests so I could differentiate between real requests from my userscript and forged fake ones from users? Perhaps some encryption/decryption?

newbie
  • 1,551
  • 1
  • 11
  • 21
  • This is not vanilla javascript, but jQuery. Your answer is possibly this: https://stackoverflow.com/questions/5507234/use-basic-authentication-with-jquery-and-ajax – nitobuendia Sep 16 '18 at 09:35
  • @nitobuendia Sure, the post request is done through jQuery; but the authentication part could be done through javacript for example creating a encrypted token using vanilla javascript and passing that through the request. I have added the jquery tag to this question to avoid confusion anyways. – newbie Sep 16 '18 at 09:38
  • @rottenoats There is an actual game being played on this page, and on this page there is a function that returns the high score of the user. I'm simply retrieving the value returned from the function and passing that through the POST request. – newbie Sep 16 '18 at 09:44
  • Try using an obfuscator: http://www.javascriptobfuscator.com/Javascript-Obfuscator.aspx , also if you have the possibility to retrieve every "score" increase during the game and check server side if the score increase wasn't instant and if the final highscore corresponds to the total score that was sent.. then you could assume that the person was unlikely to cheat. – kemicofa ghost Sep 16 '18 at 09:47
  • @rottenoats I actually went with the same approach with using an obfuscator to make it more difficult, but the problem is I want the code to be somewhat readable, so it's more trustworthy. I wouldn't blame a user refusing to use an obfuscated userscript, as they can't really see what's going on. Also, the issue with that is the score can increase instantly in this game so I wouldn't really be able to predict cheats. Unfortunately, I think obfuscation might be the only way to tackle this issue, thanks for the providing that link also. – newbie Sep 16 '18 at 09:51
  • As for limiting usage on specific web sites, can't the user simply go on the game website and hop into the Chrome console and send the request through there which will ultimately trick my server it was from the game? – newbie Sep 16 '18 at 09:52
  • 1
    You won't be able to fully make it impossible for someone to cheat when writing js. Your best bet is to make it as complex as possible. Plus, who actually looks at JS extension code? You could also check to see if the game has some kind of API where you could check if the "game id" corresponds to an existing game. Otherwise, just make your code as confusing as possible. – kemicofa ghost Sep 16 '18 at 09:55
  • 1
    Alright, understood. Thank you for the insight @rottenoats – newbie Sep 16 '18 at 09:57

1 Answers1

1

you can add a hidden input into your page with a nonce (number only used once it can be generated based on the platform you are using (unique identifier)) value in it, when you send the post read the value and add it to you post body, on the server side you check if this nonce exists in the database then this post is authentic otherwise it is not. On your back end you could save this nonce with the session if you have sessions, this is an example

<input type="hidden" value="your-nonce" id="your-id">

<script>
let nonce = $("#your-id").val();
$.post('https://example.com/scores', {
    id: 123, high_score: 999,nonce
});
</script>
mohammad mohammad
  • 374
  • 4
  • 9
  • If I'm not mistaken, this is not his webpage. Tapermonkey is a browser addon. – kemicofa ghost Sep 16 '18 at 09:38
  • What prevents someone from forging a request on this? Surely they could just do `$.post('https://example.com/scores', { id: 123, high_score: 999,$("#your-id").val()});`, and yes @rottenoats that's right. – newbie Sep 16 '18 at 09:39