Re: [Flashcoders] How to avoid fake data being sent to server?
Thank you everybody for your replies. They are very useful to see how to approach this issue. In our case we can't keep the state 100% in the server, because we have action single player games, with lots of users. Sending the state continuosly would mean too much traffic. But I think we can use timestamps on the server side to calculate how long users played, and what's the maximum amount of points for that time span. This way, if you want to cheat, you have to spend a lot of time simulating you are playing... Also encrypting the scores in variables makes it impossible to change values directly in memory (which is very easy otherwise). I found these two links which are related to our problem: http://www.secureplay.com and http://www.playnoevil.com Have a nice evening =) Ricky Bacon wrote: Abe Pazos wrote: How does it work in online casinos? I guess the result is probably calculated before it happens on server side, so you just see a representation. This is possible in cases where the input are some numbers, and the result is calculated from that input. But this involves no real user interaction. It works the same way for any game, you have to run the game state on the server side. Online casinos use it, as do MMOs. -Ricky ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
[Flashcoders] How to avoid fake data being sent to server?
Does anyone know documentation explaining how to secure Flash client / Server communication? Imagine you have a Flash game. When the game is over, the score is stored in the server. The value can be changed from 150 points to 100 points in memory using some game cracking tools, if you use plain numbers on a variable. You can store the data in some special format which can't be found using that kind of tools. But the client can be easily decompiled. Or maybe you can intercept and change the value (using some kind of network proxy) while it's sent to the server. How does it work in online casinos? I guess the result is probably calculated before it happens on server side, so you just see a representation. This is possible in cases where the input are some numbers, and the result is calculated from that input. But this involves no real user interaction. Anyone on the list dealt with these problems before? Thanks :) ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] How to avoid fake data being sent to server?
Abe Pazos wrote: How does it work in online casinos? I guess the result is probably calculated before it happens on server side, so you just see a representation. This is possible in cases where the input are some numbers, and the result is calculated from that input. But this involves no real user interaction. It works the same way for any game, you have to run the game state on the server side. Online casinos use it, as do MMOs. -Ricky ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] How to avoid fake data being sent to server?
this might help you: http://cosmincimpoi.blogspot.com/2007/09/loadvariables-security-by-built-in.html#links email me for details On Jun 18, 2008, at 4:19 PM, Abe Pazos wrote: Does anyone know documentation explaining how to secure Flash client / Server communication? Imagine you have a Flash game. When the game is over, the score is stored in the server. The value can be changed from 150 points to 100 points in memory using some game cracking tools, if you use plain numbers on a variable. You can store the data in some special format which can't be found using that kind of tools. But the client can be easily decompiled. Or maybe you can intercept and change the value (using some kind of network proxy) while it's sent to the server. How does it work in online casinos? I guess the result is probably calculated before it happens on server side, so you just see a representation. This is possible in cases where the input are some numbers, and the result is calculated from that input. But this involves no real user interaction. Anyone on the list dealt with these problems before? Thanks :) ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] How to avoid fake data being sent to server?
[EMAIL PROTECTED] wrote: this might help you: http://cosmincimpoi.blogspot.com/2007/09/loadvariables-security-by-built-in.html#links Security through obscurity is not a very good idea. You also still have the problem of someone decompiling the swf and modifying it to their needs. -Ricky ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] How to avoid fake data being sent to server?
yes and no solution comes in 2 parts: 1. use loadvariables loadVariables(.../script.php?foo1=1foo2=2, this, POST) this is something: when u use loadvariables... flash will send all _root variables too... so php will recive foo1, foo2 and all variables that reside in _root ... with loadvariables. i know this is kinda bad but works... make sure u have enough variables in root... most of us have more than enough :) if anyone use decompilers/http request.. will see .../script.php? foo1=1foo2=2 but i have a little surprise in php: 2. extra check in php - make sure script is called from swf and not from browser. you can add some ip ban script for those who try. ?php if (!isset($_REQUEST[speed]) || !isset($_REQUEST[stuffurl])) die(); . . . enjoy On Jun 18, 2008, at 7:25 PM, Ricky Bacon wrote: [EMAIL PROTECTED] wrote: this might help you: http://cosmincimpoi.blogspot.com/2007/09/loadvariables-security-by-built-in.html#links Security through obscurity is not a very good idea. You also still have the problem of someone decompiling the swf and modifying it to their needs. -Ricky ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] How to avoid fake data being sent to server?
[EMAIL PROTECTED] wrote: yes and no 2. extra check in php - make sure script is called from swf and not from browser. you can add some ip ban script for those who try. ?php if (!isset($_REQUEST[speed]) || !isset($_REQUEST[stuffurl])) die(); And I can spoof the headers... ;) If you give someone access to game logic on the client, they can hack it. -Ricky ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] How to avoid fake data being sent to server?
On Jun 18, 2008, at 12:25 PM, Ricky Bacon wrote: Security through obscurity is not a very good idea. You also still have the problem of someone decompiling the swf and modifying it to their needs. If Flash Media Server 3 is being used, for a very nice level of protection it can hash the game SWF engine (just place it in the application directory and turn on the feature in the application .asc file). If the SWF requesting doesn't match the swf in the FMS3 app directory then it won't allow it to run. Still doesn't negate the idea that the game logic should be on the server. :) - jb ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Re: [Flashcoders] How to avoid fake data being sent to server?
This isn't even open for debate. If you don't run your logic on the server, you have zero security. End of story. ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
RE: [Flashcoders] How to avoid fake data being sent to server?
if anyone use decompilers/http request.. will see .../script.php? foo1=1foo2=2 but i have a little surprise in php: If you use a recording HTTP proxy or packet sniffer, you will see (and can modify) the entire HTTP request, not just the first line. 2. extra check in php - make sure script is called from swf and not from browser. you can add some ip ban script for those who try. ?php if (!isset($_REQUEST[speed]) || !isset($_REQUEST[stuffurl])) die(); . If I record the entire HTTP request, there is no server-side check you can make to guarantee anything my client says. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ___ Flashcoders mailing list Flashcoders@chattyfig.figleaf.com http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
