(Weak) protection against highscorehackers

This is a rather complicated problem, since there are a lot of possible attackpoints. There is no 100% security. All you can do, is to make it less easy to hack your system.
  1. Protection against spying through loading the complete movie into another movie. if(_root != _level0){ //holla, we get spyed by someone }
  2. Protection against disassembling: - Hide code, by putting important code into movieclips - Hide code by putting code into external swf. Give the swf a name like pixel.gif. - Use complicated names in programming - write long code, which is never used
  3. Protection against spying with notepad - Don't use the complete cgi address. It is better to build the address at runtime. - Instead of naming your variables like points, user, password, it is better to name them like x34g, fgh65 and qwe223. - You can use properties instead ot variables to store results, eg. instead of points=30; use _root.someMc._x=30;
  4. Protection against spying with a proxy or sniffer - use POST - use absolute serveraddresses - encrypt variables and values into one big package - add tons of useless information - use GET and POST at the same time
  5. Protection against calling the server with a manipulated swf: - send _url to the cgi

taļ-nui Date: 06/09/2001

hi :) another way to hide your as code is to put this code in frames containing code : void (user)<=user2>\"part1,stop ASV!\" || 0(!1 && !0); user = \"part2,stop ASV!\";
B00MER Date: 12/10/2001

Can also add server side code which checks which domain the request is comming from, hence the last bullet point to send _url to your cgi/php/asp/cfm/etc.
biffer Date: 22/11/2001
i found that if u send a unique identifier when the proper high scores are being added to script (which is verified by the script), then any other entries would become invalid. in this case we were sending scores to a php script that stored them in a database. worked well www.ifdnrg.com
GavrocheLeGnou Date: 10/04/2002
on most servers, with CGI, PHP, Perl, ... there's a server var telling us which script called this page and during a "load variables" this var contains the url of the Html page containing the Flash movie eg : if the movie is on "http://www.server.com/toto.html" and calls "http://www.server.com/score.php" the request var ($_ENV["HTTP_REQUEST"] in PHP) will contain "http://www.server.com/toto.html" if it doesn't then someone's trying to access the script outside the flash movie ... note : This var can be spoof with Telnet so use POST method and other protections above :p
Lynx Date: 02/05/2002
GavrocheLeGnou: You can spoof REFERER using custom proxy :)
Yori Date: 07/01/2003
if(_root != _level0){ //holla, we get spyed by someone } this protection sucks :-))) loadMovieClip(url,_level0); :-))))
jb Date: 23/01/2005
While it's not fool-proof, you can inject a PHP session id into the Flash movie at initial run-time. At the same time, add an item into your database's highscores table with the PHP session id as the primary key. So, your table would look like this: session_id | highscore | initials And you would insert a given session_id into the database. Now, if the game does not receive a session_id, immediately disable it. If it does, allow game play. When the time comes to put the highscore into the database, use the session_id when inserting. If the database finds the particular key, it inserts the initials and highscore into the db. If not, no insertion occurs. The ways this method can be defeated: A session_id is captured either from the source in which it is generated.
Add comment