html form post/get data security

Okay, this question isnt exactly very clear, because i cant write it as a single question.

I have a game that i am designing using javascript, and it is basically a multiplayer game. So say there is two players, player darklord and angel

angel shoots darklord so darklord loses 1 life.

Now what happens is that i use ajax to submit the number of life that darklord loses. And the request is GET /shootout.php?shooter=darklord&life=-1 so this allows me to store the new life of darklord.

Now the problem is say angel knows about computer, and he starts requesting /shootout.php?shooter=darklord&life=-3

Thus darklord loses more life then he should have. So angel cheated in the game.

No i want to prevent this kind of requests, and i am trying to get a way so that my requests can be hidden. I mean i k开发者_如何转开发now i can encrypt the url. So say i encrypted it such that the request should be GET /enc.php?e=934ufj30jf for darklord to lose a life, and different values of e for angel to lose a life, or gain a point. However for this to work i will need to send the data to the client, as in tell the javascript to request this url.

Now the user can easily go around reading the source of the file in order to find out what are the new requests for doing things,

I have found and thought of many other ways, but they all limit the amount of cheating or effect the game-play etc.. None of them eliminate this security completely.

So now my question is how do i make sure that users dont send data that is not real. How do i stop them from cheating? I have thought of the best way being that i use server side scripts to actually calculate the possibility of someone shooting someone else and then matching it with the client input, but that will effect execution time by a LOT, so i am trying to find other ways, some public key encryptions?? (problem is the user can put the data as they want and then encrypt it) tokens? (problem is the user can put the data as they want and then put the current token)

so any other ideas anyone??

This isn't about hiding requests, it's about implementing proper access controls. Your example is referred to as an insecure direct object reference in that manipulating values in the querystring relating to direct DB objects causes an unintended outcome (have a look at OWASP Top 10 for .NET developers part 4: Insecure direct object reference).

There are a couple of things you can do but the most important is implementing proper access controls. You must authenticate the caller of the service and authorise them to perform the requested activity (and this all has to happen on the server). In this case, angle should not be able to perform an action on behalf of darklord.

The other thing you can do is use an indirect object reference map (refer to the link above), which obfuscates the IDs of the player with cryptographically strong, user-specific alternatives. You probably don't need this in addition to the access controls but it does give you more unpredictability.

Finally, think about the flip-side as well - if darklord is able to pass the amount of damage as a parameter, what's to stop him from re-issuing the request manually with "life=-100"? It will depend on the specifics of how the attack action is performed, but you're going to want to avoid people gaming this action too.

You have to assume that the user is completely in control of the client JavaScript. The only way to make this secure is to do the check on the server side.

You should not send result of action. You should send action. i.e angel shoot darkangel from point (7,15) with angle 36 degree

than server checks is it correct shoot and decrease lifes of darklord

There was an excellent answer given on this subject a couple of years ago. It actually refers to Flash rather than JavaScript, but the security concerns and techniques are going to be applicable to this situation too.

What is the best way to stop people hacking the PHP-based highscore table of a Flash game

You should never have the client tell the server what changes to make in player state (eg. remove X amount of health) because the client could always be cheating. Instead only have the client tell the server what input the player has made and then the server determines what happens as a result of that input.

Although this doesn't remove the possibility of cheating by writing a bot that plays the game automatically (and is better at the game than any human player) you at least remove overt cheating of the "I did 10,000 damage, trust me" variety.

Detecting bots is best done by tracking behavioral data and doing data mining to find cheaters. And if there is no behavioral difference between bots and human players, then who cares about the bots.