Post/Request Ajax are readable?

Discussion and feedback on Construct 2

Post » Tue Aug 21, 2012 10:36 am

Hello,

I'm making a game which uses the post/request function for Ajax in Construct 2 R99. I use it to upload save data and to submit online highscores. I used this tutorial to make it working.

I thought it was pretty secured, but it seems like it's very easy to hack. You can just inspect the element of the game in Chrome via f12. If you click on the "network" tab, you can see all the PHP files and links..

That means everyone can just use that link to post their fake scores and save data.

Is there a solution for this problem? I hope there is, because I put a lot of effort in the online aspect of my game. :(

Thanks,
Thijs
B
21
S
6
G
3
Posts: 64
Reputation: 2,924

Post » Tue Aug 21, 2012 2:13 pm

This is a difficult problem shared by most web games. You just have to come up with something really complicated that will be hard to guess...
Scirra Founder
B
359
S
214
G
72
Posts: 22,946
Reputation: 178,498

Post » Tue Aug 21, 2012 4:14 pm

isnt post data hidden? I mean you may see the link to the php file but it doesnt actually show the data in the url like get does
B
13
S
5
G
2
Posts: 306
Reputation: 3,262

Post » Tue Aug 21, 2012 4:26 pm

nope, it's super easy to preview what is sent via post.

one way to secure it is to use https (via ssl) or to make it more difficult tu post fake scores using cryptography using 3rd party plugin, if i remember right it's called "cb hash". construct itself does not have md5 calculation implemented so for arcade there's no way to do this.

hope that helps

also, this forgotten topic: http://www.scirra.com/forum/md5-maybe_topic54223_page2.htmlranma2012-08-21 16:29:10
B
81
S
50
G
10
Posts: 555
Reputation: 13,009

Post » Tue Aug 21, 2012 5:18 pm

Forget md5, that algorithm has been abandoned. Even sha1 - vastly superior to md5 - is considered "weak".

md5 should only be used for legacy purposes, and you should NEVER implement security unless you're absolutely sure of what you're talking about. Even though I have the required expertise to build a fairly secure scoring system, this is exactly the kind of stuff better left to Ashley.
B
35
S
8
G
8
Posts: 532
Reputation: 6,868

Post » Tue Aug 21, 2012 9:40 pm

Some sites use a "crumb" which is a short string of characters that the server can only send. When the client sends any data back to the server, it appends this crumb. The crumb only works for a few minutes (basically the life of that session) and then becomes invalid. Hackers cannot break this as easily because they wont know at any given time which crumb is valid and cannot generate them client side.   What this would mean is that while a dedicated hacker might be able to spoof your ajax for a few mins given the current crumb, this door closes quickly and prevents them from doing it "whenever".

browser asks for game
server sends game and a crumb
browser saves crumb
browser wants to write some data back to the server
browser sends crumb along with request.
server validates the crumb and accepts the request -or- server invalidates the request because of a bad crumb
B
18
S
3
G
5
Posts: 41
Reputation: 4,398

Post » Tue Aug 28, 2012 10:23 am

browser asks for game
server sends game and a crumb which can be seen by hacker, so hacker writes it down
browser saves crumb
browser wants to write some data back to the server
hacker sends his malicious data with his crum
browser sends crumb along with request. - hacker block this request
server validates the crumb and accepts the request

bad logic im afraid.

i still recommend ssl :)
B
81
S
50
G
10
Posts: 555
Reputation: 13,009


Return to Construct 2 General

Who is online

Users browsing this forum: glerikud and 9 guests