0

Okay, this question isnt exactly very clear, because i cant write it as a single question.

I have a game that i am designing using javascript, and it is basically a multiplayer game. So say there is two players, player darklord and angel

angel shoots darklord so darklord loses 1 life.

Now what happens is that i use ajax to submit the number of life that darklord loses. And the request is GET /shootout.php?shooter=darklord&life=-1 so this allows me to store the new life of darklord.

Now the problem is say angel knows about computer, and he starts requesting /shootout.php?shooter=darklord&life=-3

Thus darklord loses more life then he should have. So angel cheated in the game.

No i want to prevent this kind of requests, and i am trying to get a way so that my requests can be hidden. I mean i know i can encrypt the url. So say i encrypted it such that the request should be GET /enc.php?e=934ufj30jf for darklord to lose a life, and different values of e for angel to lose a life, or gain a point. However for this to work i will need to send the data to the client, as in tell the javascript to request this url.

Now the user can easily go around reading the source of the file in order to find out what are the new requests for doing things,

I have found and thought of many other ways, but they all limit the amount of cheating or effect the game-play etc.. None of them eliminate this security completely.

So now my question is how do i make sure that users dont send data that is not real. How do i stop them from cheating? I have thought of the best way being that i use server side scripts to actually calculate the possibility of someone shooting someone else and then matching it with the client input, but that will effect execution time by a LOT, so i am trying to find other ways, some public key encryptions?? (problem is the user can put the data as they want and then encrypt it) tokens? (problem is the user can put the data as they want and then put the current token)

so any other ideas anyone??

mursalat
  • 1

5 Answers5

2

This isn't about hiding requests, it's about implementing proper access controls. Your example is referred to as an insecure direct object reference in that manipulating values in the querystring relating to direct DB objects causes an unintended outcome (have a look at OWASP Top 10 for .NET developers part 4: Insecure direct object reference).

There are a couple of things you can do but the most important is implementing proper access controls. You must authenticate the caller of the service and authorise them to perform the requested activity (and this all has to happen on the server). In this case, angle should not be able to perform an action on behalf of darklord.

The other thing you can do is use an indirect object reference map (refer to the link above), which obfuscates the IDs of the player with cryptographically strong, user-specific alternatives. You probably don't need this in addition to the access controls but it does give you more unpredictability.

Finally, think about the flip-side as well - if darklord is able to pass the amount of damage as a parameter, what's to stop him from re-issuing the request manually with "life=-100"? It will depend on the specifics of how the attack action is performed, but you're going to want to avoid people gaming this action too.

Troy Hunt
  • 20,345
  • 13
  • 96
  • 151
1

You have to assume that the user is completely in control of the client JavaScript. The only way to make this secure is to do the check on the server side.

Thomas
  • 174,939
  • 50
  • 355
  • 478
1

You should not send result of action. You should send action. i.e angel shoot darkangel from point (7,15) with angle 36 degree

than server checks is it correct shoot and decrease lifes of darklord

RiaD
  • 46,822
  • 11
  • 79
  • 123
  • you can still mess with that, i mean, if i want to i can send the wrong angles, although true it will obscure the data... seems like we are stuck in a real dilemma.. Apparently this is a classical problem of online gaming, there hasn't been any proper solution for this problem.. i am right now thinking about solving the problem by making it harder to cheat, but there is no 100% secure solution - thnx anyway :D – mursalat Jul 31 '11 at 12:27
1

There was an excellent answer given on this subject a couple of years ago. It actually refers to Flash rather than JavaScript, but the security concerns and techniques are going to be applicable to this situation too.

What is the best way to stop people hacking the PHP-based highscore table of a Flash game

Community
  • 1
  • 1
shanethehat
  • 15,460
  • 11
  • 57
  • 87
  • read it - in short there is no 100% secure way to solve the problem. – mursalat Jul 31 '11 at 12:28
  • basically, that's right. To quote the last sentence from the link: `The objective isn't to stop this attack; it's to make the attack more expensive than just getting really good at the game and beating it.` – shanethehat Jul 31 '11 at 12:33
0

You should never have the client tell the server what changes to make in player state (eg. remove X amount of health) because the client could always be cheating. Instead only have the client tell the server what input the player has made and then the server determines what happens as a result of that input.

Although this doesn't remove the possibility of cheating by writing a bot that plays the game automatically (and is better at the game than any human player) you at least remove overt cheating of the "I did 10,000 damage, trust me" variety.

Detecting bots is best done by tracking behavioral data and doing data mining to find cheaters. And if there is no behavioral difference between bots and human players, then who cares about the bots.

jhocking
  • 5,527
  • 1
  • 24
  • 38