I have made a basic javascript game of blackjack (21) were the page does not refresh/post. I am wanting it to change a entity in a database (money) with out a user being able to easily access the page/method of changing the database. I was thinking about ajax but even this way a user could finde the page and then access the db. Is there a better way of doing this??? Thanks.
See this question for reference:
Preventing cheating for on-line arcade high score board
Blackjack is a simple enough game however where you can simulate every single variable server side, there is no need for client side processing in your case. Move all your code to the server side, feed the result to the client, feed the clients actions back to the server and it will be for all intents and purposes cheat proof.
This way, the client cant send scores/card ID's etc, only their actions stick|split|draw etc.
Anything the client can do, the client can hack. Javascript is quite open and not secure.
You can type javascript:... in the address bar and execute code arbitrarily, including calling any function in your application.
Related
I'm new to Android programming and I'm trying to create an app which needs a persistent remote database. Now, coming from Java and local databases, I've always connected application and database directly, without an intermediary.
I'm not seeing the point of this workaround, can someone please make this clear? I've tried searching on Google, but it seems everybody assumes this as a principles (or maybe I need to look for better keywords).
The most important argument that I can think of right now is SECURITY/QUERY VERIFICATION.
You most likely want to use an online database (perhaps MySQL) because you want to store shared information between ALL users of your application in it. The major difference between a local and an online database is that many many users have access to it - both writing and reading access.
So imagine you have your android application and now want to save some user generated data from it in your online database. Assume there is no PHP intermediary: The app directly sends the finished MySQL request to the database.
But what happens if someone looks into the source code of your app or uses any other way to manipulate that request? Let's say he changes a query from
SELECT * FROM user WHERE ID=9434896
to
SELECT * FROM user
Exactly - he gets all information from your user data table, including sensitive data such as passwords or E-Mail Addresses.
What evaluates these queries and prevents them from happening?
Your app surely doesn't, because the user can easily manipulate/change the app.Your MySQL database doesn't check them either, because it always assumes that the query is what the developer actually wanted. As long as the syntax is correct, it will execute it.
And that's what you need the PHP intermediary for:
You send values to a PHP file (e.g. check_login.php receives the values 267432(userid) and hie8774h7dch37 (password)), the PHP file then checks if these values are actually a userid (e.g. "Are they numeric values only?") and then builds a MySQL query out of it.
This way the user has no way to manipulate the query as he wishes. (He can still send wrong values; but depending on the situation it is also possible for a PHP script to check if the values are legit or not)
Perhaps this will give you some context. I built a game on Android and iPhone, and I wanted high scores stored in a remote database.
Security is the main reason you would do this. You should always do data validation on the server side, not client side. By doing it this way, my php script can validate input before making changes on the database. In addition, it is not safe to store database credentials in your apk file. This opens up a range of security vulnerabilities. Safer to keep this on the server side.
Secondly, by utilizing a single PHP script, I only need to debug/manage code that validates data and interacts with my database in 1 place... the php file. This saves me plenty of time rather than updating all of the queries and validating criteria in both the iPhone and Android instances.
I am sure there are other benefits to this approach, but these are the reasons why I do it this way.
It's an abstraction layer. You don't want to code your app to MySQL and then discover your backend is moving to MS-SQL. Also, you control how you present information to the user. If they have access, they can read everything. If you have an abstraction layer, then they can only get information by going through the proper channels.
I'm developing a very, very basic turn-based game using php and jquery and I'm looking at two different ways of keeping track of the current user's score:
1) global javascript variables - for example var currentScore at the beginning of the js. The game action and turns are all controlled via ajax so I don't have to worry about a page refreshing losing the variable data.
2) mysql - create a row with currentScore, user, etc and access it / update it every turn.
I'm trying to balance a) load speed and b) making the score tamper-proof. I'm thinking that local javascript would be fast and less load time but mysql records would be more tamper-proof. Does anyone have any advice as to which is faster and which is more tamper-proof, or perhaps have another way of accomplishing this that I didn't list above?
Run your game in PHP, not in JS.
What I mean to say is instead of allowing the player's computer to control the action, and send the results back to the server...
that allows for people to hijack and send messages to your PHP like auto-firing pistols...
...or headshot scripts ...or speed-hacking.
...or even worse -- sending in messages like: "I just scored 500 points on my turn", and having your PHP script go: "Okay!".
So instead, the core of the game engine should run in PHP, the client should just say: "My character wants to move X squares.", and then the server can say: "No, you're a cheating tool, you can only move 3 squares.", and then the client will have to adhere to those rules.
In this regard, PHP will be 100% in control of the score-keeping.
any data that is not stored on the server will be tamperable. any data sent to the server can be doctored. not only should the server store all of the game data, but it should be validating all incoming data from the client. for instance, do the rules actually allow this player to use the move they are telling me they are using? Otherwise, it will be fairly easy to cheat. Then again, your project may not require that amount of scrutiny.
both,
never trust javascript in games. There will always be a clever player which will mess with it.
Use javascript for the gui part and controlling the game, but always check ALL results in PHP, especially player specific values. Check for the right player!! Else some losers will mess with your game.
Don't worry about speed, just script your game (of course with speed and data in mind) and investigate when you hit performance problems. One issue is important from beginning: think about your database tables and queries. That will become most likely your performnce bottleneck,more then bad php scripting.
It's rare, but I have to pay MS a compliment: the ASP.NET WebMethod (AJAX) authorization is a dream, regarding my desire for security and laziness.
Encosia's ASP.NET page methods are only as secure as you make them absolutely fits those needs. ASP.NET is actually workable for me now. Free at last! (From the noble but disastrous AJAXControlToolkit).
Anyways, the problem is, that's for work. I'm not buying the MS architecture when LAMP's out there for free. I'm new to AJAX, and I can't seem to find a clear answer on how to authorize AJAX calls to PHP in the same way as Encosia above.
Can anyone suggest the PHP equivalent of what Encosia does in the link above?
Thanks in advance!
More Details
OK, let me be more specific. Encosia's solution above gives 401 denied to anyone not logged in trying to access a webmethod. Neat, clean, easy. Before, I tried to user session data to give access, but it, unknowingly to me, forced synchronous mode. Nono.
I need both, for my site. I need to be able to give 401 denieds on certain pages if a user isn't logged in. I need to be able to allow anyone to call other phps via ajax regardless of login.
Clarity
Bottom line: I don't want anyone accessing certain AJAX PHPs unless if they are logged in. I don't care what the response or any other details as long as its' still AJAX. How to?
Not really clear from the question, but if you want to only allow access to your AJAX server side listening scripts (maybe XML or JSON output) to users that have either authed or are on the related page,then how about adding a session identifier to your JS AJAX requests? In the server side script you can check that identifier against maybe a DB table holding your current sessions.
For extra security, you could check against IP, a cookie etc. These are all values that you can set when the session is started.
The main thing you need to ask yourself is this:
If a user is either logged in or browsing, what kind of access to the database do you really want / need to give? Each application will have its own needs. If you are going to have AJAX listeners on your server, then all that's needed is a quick look at Firebug (example) to see where your scripts are and the format of the requests. This could allow a potential security hole to be found. Make sure all your incoming requests are correctly treated so as to remove the possibility of injection attacks.
I am planning on making a game with actionscript 3.0 (flash). However, I am having some security issues on saving user points.
To be more specific, read below and you'll understand what's the exact problem.
You are starting my flash application. PHP creates a session for your username. Playing for few minutes and reaching 750 points.
You click on "Save my points" button.
It connects "game.php?points=[]" with your point amount, hence, game.php?points=750.
PHP connects to MySQL and does an update/insert query with the username you entered when opening application, and gets the points with $_GET['points'] as you can see on 3.
The issue is,
Anyone who could directly browse "game.php?points=999999999999" would have his points saved in the database.
I thought about encrypting the points, however, Flash is a client-side application and anyone could change the "points" value with an application like "Cheat Engine". Once they change the points, encrypted points will automatically be generated by Flash.
I also thought about creating a private key for each player on their signup and encrypt accordingly, but it also won't work because once an user change his points with Cheat Engine, flash will automatically encrypt the points with given private key, hence, another useless theory...
Some people suggested me to use SSL, just because popular companies like Zynga uses it, but I am looking for other theories here.
Any ideas on this case, except using SSL?
Ps. The game will be a MMO, so securing data transaction is an essential.
For a real secure approach you need to move your game's logic to the server as much as possible and ideally make the flash movie just an interface to show the game's current state to the user.
Check out Yeldarb's post in this thread for a good explanation.
First of all SSL doesn't help you at all. It sounds like you have never heard of Tamperdata.
This is a classic CWE-602 violation. Cryptography does not address these problems because the attacker has more control over the application than you do. There is no place to hide a secret.
We are developing a very simple first stage GUI for a company database.
At the moment our time to deliver is rather limited.
So we thought about using a simple SQL stored procedure and retrieve all data.
The data the users are allowed to see is depending on security levels defined in the database and also in our Active Directory.
So after fetching all the data, the GUI displays only what the user has access to view / edit.
My question is if there are any remarkable security issues with this aproach? It should also be noted that both the webinterface and the database are located in our intranet.
Our backend uses W2K3, IIS, PHP 5, SQL 2005
Any feedback would be greatly appreciated
Jonas
Considering the time to deliver (about 1month), it should be rather ok.
First thing: since it is in intranet only, your site should be rather secured since outside world cannot be accessing your site.
secondly, XSS and cross site request forgery should be disabled no matter what.
next, SQL injection.
with these few things in mind, the application should be basically secured.
Don't put an outward facing web server on your internal network. Seriously. Put it in a DMZ.
As far as your data is concerned, will you be filtering based on user access before or after the data hits the web front end? I'd suggest doing it in the proc.
Also, if you can, I'd suggest putting your DB on a separate box as well, for added security.
It is a sound enough approach. This way the data the user is not allowed to see remains in the database.
"So after fetching all the data, the GUI displays only what the user has access to view / edit."
A frequent mistake when dealing with access control on websites is implementing them for the data fetching scenario but not the data writing scenario. This is often the result of the assumption "the user will only send us editing requests on resources that we told her she could edit". Unfortunately...
As I coudln't spot this in your question's content, I'd just recommend making sure you effectively dealt with access control when building the GUI but also when receiving data modification requests.
If we consider the following scenario:
The user fetches data she has legitimate access to.
The user requests edition of that said data. Let's imagine an edition form is now displayed.
The user submits the form with the changes.
Before leaving her machine, the user intercepts the HTTP request and replaces the identifier of the edited resource by another identifier, to which she shouldn't have access.
Does your model ensure that when receiving the editing request, the access control rules are also applied? From a SQL-like scenario, this would translate to asking whether you're using a request template such as the first one below or the second one below:
1) "UPDATE ... WHERE ID = x"
2) "UPDATE ... WHERE ID = x AND (SELECT ... FROM ... WHERE userID = y)"
If your model is more likely to be the first, then you might have an authorization model issue. Else, it should be okay.
Hope it helps.
sb.