Protect execution of Javascript
in [JavaScript]
|
Prev: Online survey jobs & data entry jobs
Next: Math.random() and Math.round(Math.random()) and Math.floor(Math.random()*2)
From: Pedro Machado Santa on 1 May 2010 12:43 Hi all. I want to distribute a simple game on the web using Javascript and HTML5 and to keep record time scores on the web. But for that I want to protect client-side execution of some scripts and Ajax calls. Does anyone have some thougths/ideas on how can I accomplish/secure this? Cheers. Much appreciated. -- Pedro Machado Santa
From: Thomas 'PointedEars' Lahn on 1 May 2010 13:14 Pedro Machado Santa wrote: > I want to distribute a simple game on the web using Javascript and > HTML5 and to keep record time scores on the web. But for that I want > to protect client-side execution of some scripts and Ajax calls. > > Does anyone have some thougths/ideas on how can I accomplish/secure > this? Probably yes. However, the first step in creating a security concept is not to define how to protect, but to define what to protect from which kind of attack from whom. ISTM you have yet to make that step. <http://jibbering.com/faq/#posting> PointedEars -- Prototype.js was written by people who don't know javascript for people who don't know javascript. People who don't know javascript are not the best source of advice on designing systems that use javascript. -- Richard Cornford, cljs, <f806at$ail$1$8300dec7(a)news.demon.co.uk>
From: VK on 1 May 2010 13:18 On May 1, 8:43 pm, Pedro Machado Santa <pedro.sa...(a)gmail.com> wrote: > I want to distribute a simple game on the web using Javascript and > HTML5 and to keep record time scores on the web. But for that I want > to protect client-side execution of some scripts and Ajax calls. > > Does anyone have some thougths/ideas on how can I accomplish/secure > this? What exactly do you mean by "protect"? Make it not possible to view the source code on the page? Make it unavailable to other program running on the page? Something else?
From: Pedro Machado Santa on 1 May 2010 14:06 On May 1, 6:14 pm, Thomas 'PointedEars' Lahn <PointedE...(a)web.de> wrote: > Probably yes. However, the first step in creating a security concept is not > to define how to protect, but to define what to protect from which kind of > attack from whom. ISTM you have yet to make that step. Concisely, I want to protect fake score submission, either by using javacript console to run calls/commands and by altering the code and running it locally and thus submit fake scores, from players with hackers skills wanting to figure on a top ten. I thought of a possible solution wich was to send to the server the game state in each play - or in my case in each frame, since it's a racing game - and run the game and validate the "trajectory" on the server, but I was wondering if there was a less call intensive way to accomplish this. Right now, I think that the most cost effective - even though not high but reasonably secure - would be to, on a game start, send to the client some sort of random key that would be used to verify game condition calls, and somehow hide that key from the user. Thanks for your reply Thomas. Cheers. -- Pedro Machado Santa
From: Pedro Machado Santa on 1 May 2010 14:16
On May 1, 6:18 pm, VK <schools_r...(a)yahoo.com> wrote: > What exactly do you mean by "protect"? Make it not possible to view > the source code on the page? Make it unavailable to other program > running on the page? Something else? I want to protect unwanted arbitrary execution of server calls by the user/hacker so everyone plays - and could be rewarded - on (the most) equal set of conditions. I think that making the source code not visible it's a very weak way to secure the game because Javascript is plain text and I don't know of a proper way to do that "cloaking". Another way to do that it's make sure that the server calls are only originated from the javascript code, and not from any type of console, and to make sure that the Javascript wasn't altered - I was thinking if I can use some sort of hashcode to do that. Thanks for your reply VK. Best regards. -- Pedro Machado Santa |