stinkin "hackers"
- Started
- Last post
- 22 Responses
- kerus
so my company made a little xmas game in flash.. it exports the high scores to a txt file, and there is a perl script involved here. basicly someone is faking "gets" to our high score file and filling it with nonsense scores..
if i make any sense to anyone, got any advice on what the hell i can do to secure this stuff?
- dsmith70
all depends on how you are passing your variables to the text file. If it is right through the broswer address bar then it is there for anyone else to see. But if it is embedded in your flash movie to post to your text file then I would say someone had to know about it from the inside. Does your server have anonymous FTP access? Maybe someone from work is just playing a joke?
POsting anything on the web isn't 100% fool proof- meaning that I can usually manipulate the backend language to append whatever I want to whatever database I want just through the browser url. Some languages even give you admin capabilities right through the browser url meaning you could sdo something like this:
http://www.yourserver.com/?comma…and voila your server would be shutdown. A lot of people don't know this is possible for some of the low-end languages or servers like WebDNA, ColdFusion, WebSTAR, etc.
- mitsu0
yeah, write the scores to a database.
- kerus0
alright can you guys point me to some links if possible?
basicly there are 2 perl scripts..
flash poops out the score and uses the first perl script to format the scores and put them in a text file..
the second perl script gives flash back the high scores in correct order and zaps out ones that are over a week old.(so ive been told..)
thanx!!
- mitsu0
i'm an ASP programmer, so all i can do is provide a link... this looks like a really simple example of how to write to a database
http://support.needasitehost.com…
there's also some links above the example for deleting, updating, etc. you should have no problems.
- kerus0
thank you very much!..
but i was told we're trying to avoid using SQL and PHP for some odd reason..
- mitsu0
avoiding server-side development and databases, or just PHP/SQL in particular?
- kerus0
i guess avoiding "stuff we're dumb with".. none of us are really coders aside from some html and javascipt..
if there's a way to do what youre saying fairly simply.. cool.. cus the perl scripts were easy..
- sp0
for one, you could have used flash's inherit abilities with xml and made a much more secure flat-file database.
if you are avoiding server-side development, then parsing and store your score data in an xml would be an easier solution.
and, since actionscript can read and write xml, you wouldn't need the perl scripts.
and that would keep everything behind flash...they wouldn't even know there were other files at work.
on a side note: what flash really needs is it's own, in line database app. like delphi has. so you can create custom databases right in flash and not be dependent on outside programs and servers.
this would make dynamic content on cd's much better as well.
- kerus0
i will look into this immediately!
thank you for the XML suggestion!!
- mitsu0
"and that would keep everything behind flash...they wouldn't even know there were other files at work"
heh, that's funny. never hacked flash, eh?
- kerus0
ok now you guys are scarin me.
i got an angry boss breathin down my neck over this heh
- mitsu0
here is *my* recommendation:
learn a server-side language and some simple database connectivity and then use it on the job. it'll do wonders for your resume and your boss will love you for it. just let him know you can't just learn it overnight. then after you have that under your belt, explore the world of XML. either way, you have a little bit of work to do, so weigh your options out.
- kerus0
That's funny.. I have about 6 hours to fix this thing. :)
- mitsu0
hmm, maybe you should go the xml route then.
you'll have to write an xml parser so i hope you know your actionscript!
- blend0
I don't understand how database would help??? You still need to send the input get-requests, don't you?
Solution: Encryption - Do some simple math on the score to be posted and check that it is right server side. Say, a player gets 100 points, you calculate how many times it can be divided with 10. Send the score in format 10100 and let the serverside script check that it works. Of course it needs to be little less obvious, but that's how it is done.
- mitsu0
yeeeaah... so that gets back to him not having any server-side scripting knowledge.
And to answer how a database would help, an outside user couln't just open up a database like a text file. Even with a front end they'd need a username-password combo to get in. It's secure, thereby solving the problem. All the encryption in the world won't keep malicious kiddies from changing values in a text file. Also, you don't send information to the server via the querystring, you send post it through the http headers.
- blend0
hmmm...
It does not matter whether it is get or post-method used. It just isn't quite as convenient to read the arguments from the url with post.
You're right though. It gets back to knowing your server-side stuff (or at least having somebody around to mess with it). I'm sure he can find some good perl example to implement simple decryption.
I still don't understand your point about DBs. I mean the player is not going to write in passwords now is he? So it is going to be a server side script talking to the db anyway.
I have a fever so I may be bit slow :)
- kerus0
there is not url being sent....
if youre referring to something like www.whatever.com/game/?score=50...
- blend0
It does not have anything to do with the software using get or post. Information is transferred over IP and it can be captured with a simple packet filter or analyzator tool. Only solution is to encrypt the message. Idea is to make sure that nobody has tampered with the info or tries to attack with a man in the middle attack.
- mitsu0
you supply a username and password when you establish your connection to the backend - meaning, it's done server-side. the communication from the frontend to the backend needs no encryption. And besides, if you were to encrypt it, a cracker could just hack your front end and reverse engineer the encryptor and then open the text file and decrypt the data and rewrite it encoded. simple. the encryption process is only used when the data has successfully been sent to the server. at this point, in its encrypted format, it is then written to the database. And typically the encryptor is an autonomous, out of process dll or exe that handles this part of the transaction. This is seen mostly when handling sensitive information like credit card numbers, etc.