Post/Request Ajax are readable?

  • Hello,

    I'm making a game which uses the post/request function for Ajax in Construct 2 R99. I use it to upload save data and to submit online highscores. I used this tutorial to make it working.

    I thought it was pretty secured, but it seems like it's very easy to hack. You can just inspect the element of the game in Chrome via f12. If you click on the "network" tab, you can see all the PHP files and links.. <img src="smileys/smiley6.gif" border="0" align="middle">

    That means everyone can just use that link to post their fake scores and save data.

    Is there a solution for this problem? I hope there is, because I put a lot of effort in the online aspect of my game. :(

    Thanks,

    Thijs

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • This is a difficult problem shared by most web games. You just have to come up with something really complicated that will be hard to guess...

  • isnt post data hidden? I mean you may see the link to the php file but it doesnt actually show the data in the url like get does

  • nope, it's super easy to preview what is sent via post.

    one way to secure it is to use https (via ssl) or to make it more difficult tu post fake scores using cryptography using 3rd party plugin, if i remember right it's called "cb hash". construct itself does not have md5 calculation implemented so for arcade there's no way to do this.

    hope that helps

    also, this forgotten topic: http://www.scirra.com/forum/md5-maybe_topic54223_page2.html

  • Forget md5, that algorithm has been abandoned. Even sha1 - vastly superior to md5 - is considered "weak".

    md5 should only be used for legacy purposes, and you should NEVER implement security unless you're absolutely sure of what you're talking about. Even though I have the required expertise to build a fairly secure scoring system, this is exactly the kind of stuff better left to Ashley.

  • Some sites use a "crumb" which is a short string of characters that the server can only send. When the client sends any data back to the server, it appends this crumb. The crumb only works for a few minutes (basically the life of that session) and then becomes invalid. Hackers cannot break this as easily because they wont know at any given time which crumb is valid and cannot generate them client side.   What this would mean is that while a dedicated hacker might be able to spoof your ajax for a few mins given the current crumb, this door closes quickly and prevents them from doing it "whenever".

    browser asks for game

    server sends game and a crumb

    browser saves crumb

    browser wants to write some data back to the server

    browser sends crumb along with request.

    server validates the crumb and accepts the request -or- server invalidates the request because of a bad crumb

  • browser asks for game

    server sends game and a crumb which can be seen by hacker, so hacker writes it down

    browser saves crumb

    browser wants to write some data back to the server

    hacker sends his malicious data with his crum

    browser sends crumb along with request. - hacker block this request

    server validates the crumb and accepts the request

    bad logic im afraid.

    i still recommend ssl :)

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)