All geek questions in one place

Webapp Security for Logic Game Client Actions

I am working on a browser using Canvas, available in HTML5. However, I realized that I have a great vulnerability in the system. The game score and other statistics about the game are calculated on the client side in JavaScript, and then transferred to the server for storage and comparison with other players through XMLHTTPRequest. This, obviously, provides statistics on manipulation and potential fraud.

I am worried about porting them to the server side due to latency issues. I expect the time will be close.

Are there any other smart ways to solve this problem? I assume that more and more games will deal with this as HTML5 grows.

+4
source share
4 answers

Not really. Your server in this scenario is nothing more than a database that trusts the client. You may get confused, but people can easily understand what your api does. This is an insoluble problem with all standalone games, and that is why you see that Blizzard makes Diablo3 a client-server game. The fact that he is a javascript game just makes it even more transparent and easy for people to debug and use.

+1
source

Why don't you just send data to the server every time the client evaluates the point, and then saves a local score.

0
source

Unfortunately, you cannot do this. Minimizing / obfuscating code is always a good option. I'm not quite sure, but I think your code is inside

(function() { /* code */ })();

should protect any variables from editing users (unless they are attached to an object of type window ). But users can still use your ajax call and send any account they want to the server. Just never trust anything done on the client side. Confirm all server-side.

EDIT: Another thing I thought about: maybe create a server side of the code and send it to the browser. Then, with each ajax call, send this code to make sure that it is you and not some malicious user.

0
source

100% security is not achievable when you need to trust data from the client. However, you can complicate the deception by confusing the js code, as well as the data that you send from the client.

I have an idea similar to gviews comment.

On the server, you must monitor the process of players in the game using batch updates that you will regularly send from the client at some interval ... The player will not recognize it in latency, and you will have a tool to detect obvious cheaters. You know the starting point of a players game, so you can easily spot cheating from the start.

In addition, I would suggest using some control points where you could check the real state of the game on the client and the state on the server. (the state of the client will not change if the cheater only changes server updates by xhr).

There are many ways to make it harder to cheat, and it is quite individual for each game ... there is no standard that solves all this.

0
source

Source: https://habr.com/ru/post/1369262/

More articles:


All Articles