1

I wrote a server-client app in javascript/HTML5 its supposed to allow clients to communicate/play a game in realtime using Node.js on the server side .

I know the use of private variables and etc . But how to prevent the whole game engine from unauthorised access via console api ?

As in how to write it in such a way that all variables fall in a private scope and once initiated they run pretty much independently without registering a single variable in the global scope so that nobody can mess the Game up!

From what i have researched i can do something like

 function Game(){
   // All declarations here
   // Start a logic in here
 }

and then calling it

 new Game();

will do it ? but is there any better way to do the same ?

ShrekOverflow
  • 6,795
  • 3
  • 37
  • 48

4 Answers4

2

You can run a JavaScript application without registering any single variable, via an anonymous function:

(function() {
    //local variables here.
})();

However, there is no reliable way to prevent cheating: One can easily analyse your code, and create fake AJAX requests. With the latest browsers, it's incredibly easy to capture your code.

With getters and setters, anyone can effectively intercept your functions. Using the deprecated arguments.callee.caller property, an attacker can read the source of the function call, effectively getting access to the closure as defined at the top of this answer.

Example:

var _alert = alert;
window.alert = null;
Object.defineProperty(window, 'alert', {
    'value': function(m) {
        console.log('Intercepted. Function source: ' + arguments.callee.caller);
        _alert.call(this, m);
    }
});
(function(){
    var localVar = 'secret';
    alert('Hi!');
})();
Rob W
  • 341,306
  • 83
  • 791
  • 678
  • so the way i am doing it is the safest .. also i can write a md5 based token system from the server side so that AJAX Request becomes hard to copy , say server serves an md5 with each packet , this md5 must be sent back to the server for the next call .. as all the packets will work inside the private scope nobody can access the md5 hash [hopefully] and hence we add one more layer of security :) – ShrekOverflow Feb 11 '12 at 13:46
  • 2
    @Abhishek In my example, I have intercepted a relatively harmless method. However, the same technique can be used to intercept AJAX calls, through the `XMLHttpRequest` object. Even those **without knowledge of JavaScript** can read the HTTP requests using Firebug, developer tools, HttpFox and similar tools. If you build a JavaScript game, you should not trust the requests by default. The best way to do so is by letting the server calculate event, scores etc. I'm sure that there are plenty of similar question on SO which address these points. – Rob W Feb 11 '12 at 13:51
  • I am already doing that calculation on server with insane amount of encryption , infact even the scores pass from server -> Client encrypted so that any attempt to understand them goes in vain. I was thinking of using websockets though as its much more secure then firebug etc and so far there is no way of intercepting them [atleast as per best of what i know] – ShrekOverflow Feb 11 '12 at 13:57
  • Websockets are being reworked for security issues: http://hacks.mozilla.org/2010/12/websockets-disabled-in-firefox-4/ – aviraldg Feb 11 '12 at 14:02
  • @Abhishek [`WebSockets`](https://developer.mozilla.org/en/WebSockets) are also available through a global object (`MozWebSocket` in FF, for example). This object can **also** be modified using the method in my answer. There is no 100% safe method to prevent cheating. The best way to combat cheating is to implement the logic: It's obvious that one cannot win a hard game, 20 times in a row, within a minute. *>>>* Distributing obfuscated code will stop unexperienced players from looking further. Using meaningless names in requests will also stop some. But there's nothing to stop everyone. – Rob W Feb 11 '12 at 14:04
  • @RobW thanks :-) , i will implement what you said and well further use random ideas and check every thing on server hopefully this will make hacking harder i think the time i pay in making security for the app will pay so i am going to dedicate a few days in securing it :) – ShrekOverflow Feb 11 '12 at 14:08
  • @RobW last question will flash solve these security flaws ???? or its hackable the same way too ? – ShrekOverflow Feb 11 '12 at 14:09
  • @Abhishek Requiring flash will stop players without flash from playing your game. Flash does not solve these issues either. Have a look at [this question](http://stackoverflow.com/questions/3438588/how-safe-is-the-future-of-browser-gaming), and the linked questions. – Rob W Feb 11 '12 at 14:35
2

You can't trust anything that runs on the client's hardware, and that it. Even with the example you've given, anyone could easily modify and reload your script to cheat. Your best bet here, then is not to put any extra effort into this, but rather by writing your application normally and running it through a preprocessor like UglifyJS. The anonymous function pattern indicated by Rob in his answer is also common.

Also, about the MD5 hash thing - no, even if it's in "private scope" you can still view and modify it in a JavaScript debugger. The point here is that someone will always cheat because of the entire nature of the JavaScript execution environment - it's just that you'll need to make it as difficult as possible to cheat by obfuscating your code (obviously using a preprocessor) and other similar techniques.

aviraldg
  • 9,531
  • 6
  • 41
  • 56
0

JS code is always available, you may want to obfuscate your code to make cheating harder

Gabo Esquivel
  • 3,494
  • 2
  • 23
  • 18
0

All security can be circumvented with enough time. The goal of every security measure is to increase the time it takes to crack What Rob W says will help, but I suggest you also invest in obfuscation/minimization of your javascript which will have a much greater impact on the time and effort required to analyze it and create fake ajax requests than avoiding global variables.

However I concur that a javascript based application can never be very secure. The best you can hope for is "annoying to hack"

How can I obfuscate (protect) JavaScript?

Community
  • 1
  • 1
Gus
  • 6,719
  • 6
  • 37
  • 58