0

I have html5 game, available in browser. After some actions game update user data in Firestore. Of course anyone could see this fetch/ajax requests just in dev console on network tab and can get needed request, edit it and resend direct from console. Security rule are set but rule check only if user is logged in and row in collection is owned by this user. That's all, I don't know what to check more. Also, I can't enable AppCheck because of game engine. Is there any other way to prevent such dirty actions? Or maybe I've skipped something?

Thanks.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
kRicha
  • 797
  • 9
  • 27

1 Answers1

0

It sounds like your security rules allow called to do things that you don't want to allow. Properly implemented security rules allow exactly what your application code does, and nothing more.

Ideally, this means that you start your project with security rules that allow no access at all, then implement the first use-case and open up the security rules to allow exactly that use-case and nothing else. Repeating this process until you have all your use cases leads to rules and code that are developed in sync, and ensures that you adhere to the principle of least privilege,

Since that is not an option anymore for you at this point, I recommend studying up on security rules and squashing the other cases one by one.

Also consider enabling Firebase App Check, which helps eliminate abuse, although it's no guarantee against replay attacks like the one you're describing.

Alex Mamo
  • 130,605
  • 17
  • 163
  • 193
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Hey, thanks for reply. As I say in question: There is NO ability to enable AppCheck. Also rules are installed for allow write to authorised document owner, BUT this does not cancel user ability to change web-request and resent it with desired data. – kRicha Oct 06 '22 at 05:34
  • Sorry, I might have missed that in the question. That still leaves the other three paragraphs of my answer though. --- If you want a more concrete answer on a specific type of attack, I recommend editing your question to show a [minimal repro](http://stackoverflow.com/help/mcve) of the data, rules and code of the operation you want to disallow. – Frank van Puffelen Oct 06 '22 at 13:57