0

I'm developing an HTML5 game using javascript and canvas, and I wonder how to protect it from the firefox scratchpad or any other script injection tools like it.

If any user can run its own code in mine, I really don't see how to prevent him from calling the onWin() method or modify its score to 1 billion and so on.

That's such a huge security breach that I'm now thinking about re-code it in flash or java.

What do you think ?

Regards.

Stnaire
  • 1,100
  • 1
  • 18
  • 30
  • Recoding to flash or java doesn't matter if you are only going to do checks clientside. – PeeHaa Jan 22 '14 at 12:01
  • I don't see what kind of check I could do on the server side to detect if the request is legitimate or not. When the user wins a level, I could do an ajax request to update the database, but using the scracthpad, any user could call this without playing or set all objectives flags to "true" before the call, etc. Any additional information I could add in the request may be seen by the user. The server can't know if the level have really been played or not. – Stnaire Jan 22 '14 at 12:17

1 Answers1

0

Here is what you need to do:

  • At server side you need to check only authorized user is able to update any data in server.
  • So if any update request is coming to server from client before updating you need to make sure the client is authorized to do so.
Falaque
  • 886
  • 2
  • 12
  • 27
  • With the scratchpad a user can call internal code of the game, so a code in a authorized context etc. There will be no difference between a call to onWin() method from the game loop or the scratchpad. How to differentiate them? – Stnaire Jan 22 '14 at 12:20
  • You can't differentiate in JavaScript. In fact user from client can send any crap. You need to differentiate on server. – Falaque Jan 22 '14 at 12:26
  • So I don't see how to implement your first suggestion. – Stnaire Jan 22 '14 at 12:45
  • How? You can always do checking at server side. – Falaque Jan 22 '14 at 13:13
  • What kind of check do you have in mind? The client code creating the query will be the same in both cases. – Stnaire Jan 22 '14 at 13:52
  • But your design should rely upon security in server side. There is no security in client side. – Falaque Jan 23 '14 at 04:29
  • But how do you want to differentiate the requests on server side considering the requests and the client code creating them will be exactly the same in a legitimate case or using scratchpad? – Stnaire Jan 23 '14 at 18:03