tags:

views:

134

answers:

2
+3  Q: 

How safe is "the future of browser gaming"?

HTML5 will be widely adopted as a way to design games, is the prediction. But I have my questions about this: how can an online HTML5 game ever be secure?

Let me give you an example: imagine this platform game where you gain badges when you win, for example, an extremely hard level. When you have actually won this badge, a request is made to the server, in order to update your online profile. Isn't it extremely simple for a hacker to just send this request and gain the badge, without playing the actual game? Because:

  • The client-side source code is visible and impossible to hide
  • It is possible to execute Javascript from the command-line

I don't see a way to prevent this hacker from gaining his badge... Is there any way to make this game safe?

+3  A: 

Yes, if you designed your game like that, it would be very easy to hack. But why is this specific to HTML5? You could do that with any type of game that was written like that. Even with a native desktop game you could still fake the request. The only difference is that faking HTTP requests is easier than reverse-engineering requests made by a desktop game.

The solution would be to add some kind of "validation" to the victory--the actual algorithm would vary from game to game. Maybe have the server track the game's progress while the user is playing. If it were a game of chess, for example, you could send every move to the server and have the moves validated to make sure they work out correctly. This gets more complicated with real-time games, though.

But whatever algorithm you decide to use, it will be defeated. Even the chess validation that I just mentioned could be bypassed: you could just "create" your own valid game of chess and just send the same moves to the server every time, ensuring that the game was valid. (This is assuming that the player is against a computer--having two humans play against each other would make things easier.)

musicfreak  2010-08-09 09:03:20
Ok, thanks... In this chess game case it would be secure if the computer acts as a referee, receiving moves, checking if they're valid and checking if the current game is a win for one of the players. But it's harder to build such a referee for a platform based game...
Harmen  2010-08-09 09:18:55
@Harmen: Right, which is why big companies spend hundreds of thousands of dollars trying to stop attempts to hack their games. It's not easy. And the more complex and powerful your anti-cheat mechanism becomes, the more expensive it becomes: using more server resources, taking up more of your time, etc.
musicfreak  2010-08-09 09:30:06
+2  A: 

It's no different from any Flash-based game or indeed a game with a downloadable client like World of Warcraft. Anything integral to the game's fairness has to be handled on the server.

Kylotan  2010-08-09 10:32:41
Oh, so true. This has been a problem in multiplayer gaming since its inception. The talk of World of Warcraft reminds me of the episode of Software Engineering Radio from back in 2007. Skip to 20 minutes in http://www.se-radio.net/2007/08/episode-66-gary-mcgraw-on-security/
Cheekysoft  2010-08-09 14:48:05

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security