I'm going to be developing an online arcade for HTML5/Javascript games written in a to-be-released IDE.
The game will use Ajax requests to the server to record scores when people play these games.
I theoretically have plete control over the design of this, including the mechanics of the code that logs the high scores, game code, everything.
I know it's never impossible to hack client side games such as this or spoof high scores, but I want to make it difficult enough so that anyone petent enough wont be bothered enough to do it (wishful thinking).
I've read:
How can you prevent bogus high scores from appearing on a global high score list?
Which is a slightly different question as this is HTML/JS specific.
My initial idea is that the ajax request checks the source of the request is from the correct location, which is a simple and effective block for most hacking attempts.
I'm going to be developing an online arcade for HTML5/Javascript games written in a to-be-released IDE.
The game will use Ajax requests to the server to record scores when people play these games.
I theoretically have plete control over the design of this, including the mechanics of the code that logs the high scores, game code, everything.
I know it's never impossible to hack client side games such as this or spoof high scores, but I want to make it difficult enough so that anyone petent enough wont be bothered enough to do it (wishful thinking).
I've read:
How can you prevent bogus high scores from appearing on a global high score list?
Which is a slightly different question as this is HTML/JS specific.
My initial idea is that the ajax request checks the source of the request is from the correct location, which is a simple and effective block for most hacking attempts.
Share Improve this question edited May 23, 2017 at 11:55 CommunityBot 11 silver badge asked Dec 20, 2010 at 9:28 Tom GullenTom Gullen 61.8k88 gold badges291 silver badges469 bronze badges 1- 2 Sorry, The correct location can be spoofed just as any other parameter. Quite easy with userside scripting (like Greasemonkey) - one can just add code to your clientside code, but it will still run from your page (location) – Konerak Commented Dec 20, 2010 at 9:30
5 Answers
Reset to default 4As the previous answer stated you cannot trust the client, therefore your best bet is to split a game up into levels of some sort and have the server control level progression. If the server is tracking each client and their progression it can limit the range of scores achievable. This makes it more tedious to cheat as the client has to simulate going through each level and indicate achievement within the correct score range.
Each time you serve the page include a randomly generated key and on the server associate the key with the users session.
pass this key around and manipulate it in obscure ways at various points in your game script.
generate a checksum derived from the score and the manipulated key.
send the checksum to the server along with the score
validate the checksum on the server
obfuscate the script
It won't stop a dedicated hacker though.
Here is one way that is both pretty simple (though not trivial) to implement and very hard to hack and not so simple to hack.
On the server side, have list of let's say 1000 items stored in either text file or database.
Each item will be unique GUID or other unique long string, let's call each item key.
Now, when you send AJAX request send one of those keys as well.. it can be random from the list or by incrementing index it doesn't matter.
Now es the nice part: after one single "use" of each key (meaning the server got request with that key and responded to it), remove the key from the file/database. If the server get request with key that does not exist in the list, of course throw error or return "no hacking" string.
When the list bees empty, recreate it with fresh unique keys.
This way the first request with the real key should succeed as usual, but if the user will try calling again to the same request exactly, it will fail. Guessing the keys is also very hard assuming those are long random values.
Like any other way, it's flawed due to depending on client side code that can be spoofed by those who know how. But as it's not mon, it will be harder for the mon folk to find how this works and hack it.
This doesn't work for all games but...
If you log all control input on every frame, and also log the RNG seed at the start of the level, it may be possible to re-run the level by replaying the controller input and get the exact same sequence of events. This can be used to verify that the game was actually played and the score was not just made up. It will be expensive to verify every game, but there are other options, e.g. only verify a game if the score would be in the top 100, or test random games and disable the accounts if verification fails.
Then sit back and watch as the cheaters start using robots to play for them instead, which is even harder to defend against.
Add a md5 hash of the highscore code and pare it on the server. But do not the md5 exactly of the highscore, not on all chars of the highscore only some of the chars, like second to last char. In this case it will be difficult to see what the md5 consists of, when just tracing the ajax calls.