To answer your questions directly:
Q - "Can a hacker / tweaker just change the destination of my Ajax request to its local files?"
A. If your script is not confusing yes, they can change the purpose of the AJAX request to use their own game server. Even obfuscated scripts can be unpacked to change the destination of the hacker game, but what are the consequences of using them? They will have their own version of the game, which does its job talking to its own server ... It is hardly a real problem if there are no secrets to unlock in the client game, if your own server can make these secrets slightly easier to reveal than just reading the client a source.
The game server could, nevertheless, protect game secrets so that these secrets are displayed as a payload script during the game ... In this case, you will need to read.
Q - I know this is a very broad question, but are there any recommendations that you can recommend? ... I'm not sure how to verify the validation on the server side.
A - to prevent falsification of the game state and statistics on the game server , that, I do not believe that you are asking ... what are you asking, how to prevent the game client from the incorrect state of the game, which is impossible as soon as the client code leaves your server , it can be faked, and any preventive measures will also be contained in the client code and are inherently reversible and therefore bypass ...
Countermeasures to prevent hacking game server statistics
Assuming that the client is the authority in the current game account, and the server does not have an authoritarian version of the game session and receive user updates from the client (in this case, the user input must be sanitized, but it makes it difficult for the state to be synchronized from the server to the client, and it will be sensitive to problems with delay).
It seems that this is a problem that does not have an ideal solution at all, which completely softens the hack, not to mention the JavaScript game, for example, in Flash, which is compiled, the problem is still obvious: What is the best way to prevent people from hacking the high score table based on PHP flash -games , even at the executable level in the system: How can I protect my .NET assemblies from decompilation? .
JavaScript is not compiled and sent as plain text, so it does not have these obstacles (which can be workarounds) for hacking.
I compiled an approach to mitigate this problem, from various related resources and some Google searches, of my game:
var score = 0; function increaseScore() { score ++; sendScore(); } function sendScore() {
Closure: Using a closure around the current code will prevent functions and variables from being called through the browser console. It does not prevent breakpoints or simply modifies the script to remove the closure.
(function() { var score = 0; function increaseScore() { score ++; sendScore(); } function sendScore() {
Obfuscation: you can use the Dean Edwards wrapper or just minimize the code using something like a closure compiler. Minimization will not prevent viewing and changing variables through the browser console, but both will prevent the source from being understandable to humans, which requires the hacker to find reasonable breakpoints for viewing.
The dean edwards packer turns the script into a string that is evaluated, making it impossible to add breakpoints to the original script. However, you can unzip the script, and for the hacker, use this script instead to add breakpoints.
eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('(1(){6 2=0;1 3(){2++;4()}1 4(){}1 5(){7(1(){3()},8)}5()})();',9,9,'|function|a|increaseScore|sendScore|run|var|setTimeout|1000'.split('|'),0,{}))
Encryption: the client encrypts the scores before sending, this will not prevent the score from being changed through the browser debugger if the hacker has access to the encryption function, but will prevent a simple falsification of the scores in the server request.
Game instance identifier: The server contains a unique token in the request, which is sent back to the server at the beginning of the game. This prevents a simple script modification (as when unpacking or removing a closure), since the instance token will already be used by the original script, invalid.
A certain hacker will need to remove the code that sends the token back to get around this, they will also need to ensure that the points sent back are logically taken from the original copy of the game (see step 6. and made a lot more complicated because of step 5 .).
(function() { var score = 0; var token = "abcdef123456789";
Scoring marker: The server sends a token for the next encryption. This reduces the size of the attack window. If the hacker found a code to encrypt the account to be sent, he still needs to get the correct token for the current account update.
(function() { var score = 0; // Yes it would be easy to simply add items onto this queue // the closure and packing to prevent breakpoints, plus the // session token are required to prevent this var queue = []; var token = "abcdef123456789"; // Inserted by server side code var sending = false; function increaseScore() { score ++; queue.push(score); if(!sending) sendScores(); } // Scores now need to be sent sequentially, the last // score sent response will have the next scores token function sendScores() { sending = true; var encrypted = encryptScore(queue.shift(), token); // Ajax send encrypted, send next score when // response received, if there is a next score // in the queue, otherwise stop sending // (sending = false) } function encryptScore(score, token) { // Uses some encryption lib } function sendToken(callback) { // Ajax send token, sets new token value from server response } function run() { sendToken(function() { setTimeout(function() { increaseScore(); }, 1000); }); } run(); }) ();
Server side validation:. The server checks if the userโs score has increased more than would be possible (or even decreased by reusing the instance token higher), this may be a step in successive points updates too large, illogical, or that the score increased too quickly over a certain period.
Blacklist: Quarantine users and sessions that show fraud behavior so that hackers do not detect that they were detected and their scores are silently removed from the valid point pool.
Greylisting: Mark users or game sessions that appear to be very close to the ideal scoring scenario for manual research, to be blacklisted.
In general, I would create as much audit data as possible in order to try to control the situation, manually intervene where necessary, and add additional preventive measures, as problems recur in the real situation.
In addition, since there is no perfect solution to this problem, it just makes it as difficult as necessary so as not to cost the time it takes to crack it. There are always constant hackers who can solve this problem, but keep it in perspective: if a hacker tried to crack estimates with existing countermeasures, what will be the result, and is it worth the time to bypass?
Guesses that commercial game makers use most of the tricks in the book, but even this will depend on the budget and risk.