1

I'm making browser game and I want to block user if he is scripting via console. How can I properly detect that user is using console for sending scripts?

I was searching for solution and I'm still not sure. I saw that you can detect it via CSP..

Thank you

jakub
  • 11
  • 1
  • 4
  • 1
    You can't, though if you want to prevent the user from doing *certain things* via the console, you can do that, to some extent. (it will never be foolproof, though, since it's *their* browser) – CertainPerformance Apr 30 '19 at 10:21
  • There must be some kind of thing to do that.. because when I was playing one game before they detected me.. :D – jakub Apr 30 '19 at 10:24
  • Yep, there are ways for certain things, there are just not *100% foolproof* ways – CertainPerformance Apr 30 '19 at 10:25
  • Ok, and which ways there can be for that then? I think loging user time is wack cuz he can make random function for timing, maybe use heat maps so that we can track if user is clicking buttons.. idk – jakub Apr 30 '19 at 10:27
  • It depends on what exactly you're trying to do / restrict. Hard to say exactly without specifics – CertainPerformance Apr 30 '19 at 10:28
  • You need to click buttons to do actions.. so I will probably implement heatmaps and logs how many clicks user did then compare it and that's result I guess. – jakub Apr 30 '19 at 10:30
  • 1
    See https://stackoverflow.com/questions/29798010/javascript-detect-whether-an-event-is-triggered-by-user-and-not-programmatical - check the `isTrusted` property – CertainPerformance Apr 30 '19 at 10:31

2 Answers2

0

It would be highly overcomplicated, but theoretically you could make sure that all the code execution happens in a scope you define via an anonymous function. This way everything executed via the console would be in a different scope (which is the default one) and you could potentially add code to every public function you have where you check from where that code is being executed. But again, the user has complete control over the browser.

I read that you noticed this when playing a game. http://agar.io for instance uses this isolated scope technique to avoid a user to tamper with game values. This is not foolproof as a savvy user could still attempt to code inject your code to add handles to expose internal pieces of your code.

You can although implement some tricks to make it more difficult to the user (see https://x-c3ll.github.io/posts/javascript-antidebugging/)

Lucat
  • 2,242
  • 1
  • 30
  • 41
  • 1
    Just putting everything into an IIFE won't be enough. The user may run code *before* your IIFE and monkeypatch built-in objects. The user may call `window.stop()` before your IIFE and then run the IIFE with their own modifications. At the end, it's their browser, they can run the client-side Javascript that they want on it. – CertainPerformance Apr 30 '19 at 10:29
  • Hah I really want to know how they detected me.. :D but they won't tell me that info :/ – jakub Apr 30 '19 at 10:35
  • There are plenty of ways they can do that. If you were playing a game and tried to modify in-game values, they could be comparing server-side ones with the ones you have. But every developer may implement their own technique, therefore no correct answer to your "hacky" issue ;-) – Lucat Apr 30 '19 at 10:36
  • Nah in that game they had onClick events which called function with parameter.. so I made my own function with setTimeout which called these function :D.. that's all – jakub Apr 30 '19 at 10:40
  • I did it just to safe a time.. Time is a expensive thing :P – jakub Apr 30 '19 at 10:55
0

Works for Chrome

Here's my favourite solution from from an earlier answer:

setInterval(() => {
  var element = new Image();
  Object.defineProperty(element, 'id', {
    get: function() {
      // behaviour to execute when the console is open      
      console.log('open', new Date());
    }
  });
  console.log(element); // trigger 
}, 2000);
Every 2 seconds (or however you init your interval) you get to say if the console is open in the get function
Community
  • 1
  • 1
Ferenc
  • 527
  • 3
  • 6
  • Ye that looks cool. But I opened that console once to fire my function then I closed it.. So I think that's not the solution they used.. But thanks, really interesting thing :) – jakub Apr 30 '19 at 10:57