All geek questions in one place

Best way to ensure that data is sent to URLs from Java

I am developing a small game (in Java) for term paper and the extension that I decided to do is an online scoreboard. As I thought this could happen, several people in my course figured out how to crack the scoreboard and submit their own grades.

I know that in the current way of presenting points there are several problems, but here it is. The game generates a rating, and then an HTTP GET on the URL with the parameters of the player ID, score and password.

I could change this as POST, as it can be harder to get the password data. In addition, I am considering running this protocol via HTTPS (although I don't know if this is more complicated in Java). Unfortunately, this does not stop the main way that people found a password that was decompiled by Java code.

I do not know how best to prevent hacking. I do not mind too much, but it is not so important, but it would be nice to provide it, therefore, when the code is marked, it does not load spam.

What would be your suggestion on how to obfuscate the code and / or ensure the security of the whole process?

+4
source share
3 answers

What you can do is switch from anonymous to user tracking. This does not interfere with the fake, but makes it more durable.

The main protocol may be that the change of the account card is signed or encrypted using the session key. A session key is created when the player himself enters the system. Here you can work using the appropriate authentication system.

Now, at least you know which account the change occurred with, and you can blame your student ...

+2
source

Your approach just doesn't work. When you need to protect something, you cannot run it on the client.

Instead, the entire game should run on the server, and users can only send moves. Thus, you can check the moves (so that players can not create illegal states) and calculate the correct result.

Everything else can always be hacked. If you don’t encrypt the data, you can crack it using a network sniffer. If you use HTTPS, hackers can use a proxy server to decode data (a person in an average attack ).

+7
source

Obfuscation will not help you. This will just make it harder for hackers, but certainly still possible.

To ensure the whole process (at least to some extent), you should not have the game logic code on the client. The client should only send game commands to the server. After receiving the commands, the server should check if the user can execute the prescribed commands.

Thus, even if your colleagues send the command β€œset jeff score 9999”, the server will check if jeff really played a game that gave him 9999 points, if not, you can just show an error message to the client.

General rule: if something is on the client, the client can change it. Most people give in to trying to make it difficult for the client to change it is useless, as it is only a matter of time before they do it.

+2
source

Source: https://habr.com/ru/post/1335532/

More articles:


All Articles