Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Aug 2002
    Location
    New York
    Posts
    152
    Thanks
    12
    Thanked 0 Times in 0 Posts

    Post The "High Score" Problem

    I've been doing a lot of research on this topic recently and I'm sort
    of stuck. For those who don't know about this type of problem, it is
    the security concern that communication between Flex (a Flash
    front-end application) and a server through PHP is thinly-veiled and
    prone to attack. Specifically, when a Flash game tries to tell the
    server that a user got a high score, an attacker can find a way to
    fake this high score and achieve the best score (sometimes resulting
    in a cash prize).

    The measures that I've been studying seem to only get in the way for
    attackers, but not thwart them entirely. For example, one could simply
    encrypt the data that is passed to a PHP file, but the Flash
    application can be decompiled and the encryption technique is
    discovered. Alternatively, one could obfuscate the application, making
    the decompilation produce jargon, but this too can be translated into
    human-readable text. A server can check data for feasibility by using
    a timer to detect super-fast computer-generated PHP POSTs, but this
    too can be overridden by slowing down the auto-POSTs. This is the case
    for other "human" feasibility checks. If the server checks the POST
    headers, they too can be faked by proxies.

    Is the simple conclusion that Flash applications are inherently
    transparent? There is no such thing as Flash application security?
    Does SSL patch any of these risks?

    How can a "high score" problem be overcome?

  • #2
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,174
    Thanks
    19
    Thanked 66 Times in 65 Posts
    I'm no expert on flash or flex but it seems to me a simple way would be to have the php file pass a variable to the flash/flex program and then have that information be sent back to the php file when the score is saved - if the values don't match then the score isn't recorded.

    If the flash file is decompiled, the file doesn't contain the value that needs to be sent.

    Just an idea.

  • #3
    Regular Coder
    Join Date
    Aug 2002
    Location
    New York
    Posts
    152
    Thanks
    12
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by NancyJ View Post
    I'm no expert on flash or flex but it seems to me a simple way would be to have the php file pass a variable to the flash/flex program and then have that information be sent back to the php file when the score is saved - if the values don't match then the score isn't recorded.

    If the flash file is decompiled, the file doesn't contain the value that needs to be sent.

    Just an idea.
    The problem with that is that a person can be watching their HTTP Headers and just grab that variable in transit. The person can then fake a POST and include both the variable and their new "high score".

  • #4
    Senior Coder gnomeontherun's Avatar
    Join Date
    Sep 2007
    Location
    Houston
    Posts
    2,846
    Thanks
    10
    Thanked 238 Times in 229 Posts
    Nothing is completely secure...

    You could put layers between the application and the server, perhaps some method of checking variables. I know a smart person will always unravel the layers, but the more you put the harder it gets.

    This isn't necessarily a flash/flex issue, if you can send a variable via POST to any script someone could try to interject their own into it.

    Very good question though...maybe ask it in the section where PHP people can read it too.

  • #5
    New to the CF scene
    Join Date
    Sep 2007
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    i'm not sure how helpful my suggestions will be but here goes...
    I agree with jeremy, if a hacker really wants to get that prize they will but it also depends on how much the cash prize is (or whatever the value of the item). If it's something small valued less than $100 you shouldn't worry too much about it, just get some encryption happening.

    Otherwise I really think a combination of PHP SSL & Cookies will get you a good amount of security, as I know a lot of shopping cart systems use SSL to handshake with the browser to prevent hackers from stealling information.

    Finally if it's a really big some of $$$ then i would most likely look into another technology, shockwave maybe?

  • #6
    New Coder
    Join Date
    Feb 2005
    Posts
    40
    Thanks
    0
    Thanked 0 Times in 0 Posts
    how about is you pass your request with some encryption ?
    There are only 10 types of people in the world: Those who understand binary, and those who don't.
    Wich one are you ?

  • #7
    Regular Coder
    Join Date
    Aug 2002
    Location
    New York
    Posts
    152
    Thanks
    12
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by kaydara View Post
    how about is you pass your request with some encryption ?
    Then the encryption method is publicly known, as any SWF can be decompiled into its source code.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •