Avoiding CSRF when serving AJAX or Flash requests

views:

answers:

Avoiding CSRF when serving AJAX or Flash requests

I have a Flash based game for the browser which sends users' scores to a php backend script which stores the score and the user id in the database.

Now I have a url like www.example.com/update.php?score=200&uid=234

The problem is that this is very much exposed to an intelligent user, and he can use this url to store whatever score he wants in the DB. Also there's no real user authentication, and I don't intend to have one either, because it's really a tiny game.

How can I stop someone from calling the above url and updating his score on his own.

You can't.

This isn't a question of CSRF anymore. Because you don't have any authentication whatsover, anybody on earth can update everybody else's score. There is just no way to prevent that from happening.

If you are concerned about security, authenticate the user. That will atleast prevent an attacker from updating scores en masse.

Then, fix your CSRF problem. With each of those urls, you need to append a unique token.

sri 2010-09-15 20:53:46

Thanks for the reply. Ya I kind of figured that it's not really a CSRF problem. I need to alter my question to this:If I need to send data from my flash app to my server, whats the best way of safe guarding it so that not just anyone can send valid data on their own?I figure I can encrypt my the data that the flash app sends and then decrypt it at the backend and update my DB only if it valid. This is with the assumption that an intelligent user can't still figure out how I am encrypting the data.

Paganwinter 2010-09-17 08:12:21

The only way to do that is to authenticate your users with a loginid/password. Encrypting the data is not a solution, because if you have to store the key in the flash swf file, and an intelligent user can easily extract that key from the file.

sri 2010-09-17 20:12:51

+1 A:

You might want to read about the "Marblecake" hack of an online polling system.

Substitute the concept of "submitting a vote" with "submitting a score" and you'll see that any client-side control is bound to fail.

While a good step might be to encrypt the score or use an HMAC to prevent tampering, your encryption will be done in the Flash client and the Flash app can be reverse-engineered for the key (it increases the effort required to cheat, but won't prevent cheating).

In order to minimize cheating, you'd have to move the scoring logic to the server and you'd have to run sanity checks or otherwise validate players' actions; otherwise, the approach to cheating would be executing invalid actions that lead to more points rather than just reporting the final score. (That last bit is vague since it's not clear what kind of game this is.)

At the very least, you should be able to tie score updates to a specific user so that cheaters can only affect their own score and not others'. I can only think of ways to bound the effect of cheating, such as rate limiting so that if an average game is N minutes, the server only accepts around 60/N score updates per hour . Or use some other metric/time period. But for what you describe as a tiny game that's probably not worth the effort -- especially since it only bounds the problem, it doesn't solve it.

Mike 2010-09-20 21:00:45

ansaurus

tags:

views:

answers:

Avoiding CSRF when serving AJAX or Flash requests

related questions