Prevent JavaScript Hacking [duplicate] - javascript

This question already has answers here:
What good ways are there to prevent cheating in JavaScript multiplayer games?
(9 answers)
Closed 8 years ago.
I've created a trivial game using JavaScript and AngularJS. While presenting it to my team today, a team member hacked the code and won the game because of it.
The idea is that each player clicks a button to generate a random number between 1-100. Tom (screenshot below), put a breakpoint in the JavaScript and changed the number to 99 each time.
Is there a way to prevent this? From what I've heard, and from some googling, it appears that it's not possible to prevent this; a trip to the server needs to be made so that the random number can be generated there.
Is that right? Do I need to change my game to make a server call for every generation of a random number? If so, is there at least some way to make it extremely difficult to hack within the browser? Using JavaScript and AngularJS, it was nice to have this all on the front end; it was quick and easy.

The best way to prevent this is to have a call to a server and record the value you send out to the client so you can validate it, this is the only foolproof way of really achieving this.
However you can take some steps to make it really difficult to do client side. If you were to minify you're JavaScript code (and possibly obfuscate all the method names too) this is going to make it really hard to understand what its doing and to set a breakpoint at the correct point.
As an example, in Chrome I've got only 4 lines to choose from to break in jquery.min.js. If I want to edit the section highlighted, this is virtually impossible without sending this code through a deminification process or redirecting to different JavaScript using a tool like fiddler.

You can minify your javascript, and that might help a bit, but technically there's no way. You need to move some of your logic server-side, where it can be validated.

Related

how to prevent stealing javascript codes [duplicate]

This question already has answers here:
How can I prevent javascript code theft?
(7 answers)
Closed 6 years ago.
I made many javascripts for my blogger after hard work. So, I don't want anyone steal my codes, can I do that?
I tried obfuscate and encode from many websites, but anyone can easily steal it after that, So it just slow my website.
I need really solution : )
You can't. The only thing you can do is make your code harder to read by minimizing it, and otherwise obfuscating it. The code is sent to the client; you must assume they'll try to read it.
If you visit a website and the page is already "constructed", it means they used a server side language/framework to create the page before it was sent.
Javascript files are shown publicly, and sent directly to the client, so there's no way you can prevent them from being viewed. You had the right idea trying to obfuscate it, as that's the only solution, you just need to find the right obfuscater. In my opinion, you shouldn't even obfuscate them, as most scripts are written in a matter of minutes, it wouldn't make much sense for somebody to steal yours. If you really need to do so, then a quick google search returns this.
No, you can't. At the end of the day, the user can look at any javascript that is being run on the client. If you're doing anything that is business sensitive (such as connecting to databases, etc), that should take place on the server, so that users can't see it. Client-side JavaScript is intended to work with data that the user can see anyway, so it's not important for it to be obfuscated.
If you're just jealous that someone is going to to use your code, well.. Tough luck. Though I should say that in all likelihood nobody is interested in stealing your code. If they're going to reuse code, they'll download a plugin - not go through the source of random websites to see if there's anything they could scavenge.
People have mentioned obfuscation, but if that's your goal, you're doing something wrong. You should certainly minify your code - but that's to make it take less space, and thus load faster. Not to obfuscate it.

How to protect code html5 canvas of copy and paste? [duplicate]

This question already has answers here:
How to protect code in HTML5/Canvas game?
(2 answers)
Closed 8 years ago.
What should I do to protect my code?
Due to the open source code, a person can take the data, one by one. Alternatively, they save press ctrl+s. I want to protect it so that if someone wants to take my data, he has to connect to my site.
This is a classical caveat of serving client-side code. It is impossible to completely hide your code if you are going to send it to a client; he must receive a .js file in order to execute it in his browser, and that file is always viewable by some means.
You can attempt to obfuscate your code using a minifier like Uglify.js, but people can still prettify your code and examine it and attempt to figure out how it works.
Alternatively you could do everything server-side and serve images of the game to the user, but this would be impractical for any game with a moderately-high framerate.
Note that in most countries you have a copyright on whatever you write, so if someone was to ever steal your code you could sue them.
You can't protect your javascript functionality from copy-paste, as explained here.
How to protect code in HTML5/Canvas game?
To paraphrase the Borg..."obfuscation is futile"
(your code and your data must become visible for the browser to run it)
To slow thieves down:
If you're trying to protect your methods: minify your javascript.
If you're trying to protect your data: download data from server in real time (Ajax/websockets).

Making Javascript Private [duplicate]

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How can I obfuscate JavaScript?
Is it possible to make some of Javascript private and confidential so that certain things can remain confidential?
If you're asking whether or not you can prevent users from viewing your source, the answer is basically no.
Sometimes you can make it impossible to do right-click / view source, but people could simply use a tool like Firebug.
You can minify your code, but that doesn't hide it. It just makes it harder to comprehend.
I think what you are after is encrypting/obfuscating javascript code; you cant avoid but send your JavaScript code to the client.
The best you can do is obfuscate it, which is essentially making it harder to humanly read it. and here the SO reference if you want to go down that path
How can I obfuscate (protect) JavaScript?
I am not sure why you want to do this, is it to protect some of your own code, if so then its ok, but if you are planning on putting sensitive data such as usernames/passwords embeddeed into your javascript then please don't do so, its ok to go to the server to fetch stuff better being secure :-) happy coding.

How to hide or secure javascript code from client side [duplicate]

This question already has answers here:
How can I hide or encrypt JavaScript code? [duplicate]
(7 answers)
Closed 7 years ago.
How to secure or hide javascript code on client side. Is there any way to doing so.
Thank You
Short answer: You can't/don't.
Longer answer: You cannot hide it at all. It runs on the client and it cannot be compiled to machine code.
However, you could minify it - that's basically obfuscating it by shortening variable names, removing whitespace, etc. While it's usually used to save bandwidth it also makes the code less readable.
Note that all but the changed variable names and removed comments can be easily undone by something like jsbeautufier.. but for a large application it's very hard to understand the code without any meaningful variable/function names or comments.
There is no such thing as 100% secure javascript code. This is because any code executed on the client's machine cannot be fully secure. Your best bet is to obfuscate your javascript and make it hard to read.
Your best bet is to ensure all vital secure code runs on the server, and allow javascript to do only simple, UI enhancing tasks on the client side.
As i know it is not possible. Only thing you can do it making the code very badly organized. Which will take longer time to find out actually what you are doing.
If you are searching this because of security reasons, you have to remember the only thing matters in security is the password-which is not put in the code. So find a nice way to encrypt you stuff. You can find many good ways on web.

How to block others access JavaScript [duplicate]

This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
Protecting client side logic & data
How can I block other from reading my JavaScript through view source?
My thing is, now one can access my JavaScript, because am not sure, but just guess some one from outside using some tool to changing my JavaScript events.
So how to make the authenticated?
You don't control the client, and javascript isn't compiled. Its a losing battle if you want to lock it down completely. The best you can hope for is a good obfuscator/compressor that would make it more difficult to read. You can also do it all in flash or something where you would have a bit more say, but you still don't control the client, and they can still decompile the source.
It's not entirely possible for you to block your JavaScript code from getting into the client side, since this is where they will get executed.
As you mentioned about changing the events, your Application must be developed in a such a way that such changes will not harm the Application at the server end. Of course, that particular user will be able to produce unanticipated output it his end, but these should hardly matter as he will be the sole viewer of those.
One side note though, there is something called code obfuscation, that is making the code deliberately unreadable. Some Web App developers resort to that. You could consider doing that.

Categories

Resources