Javascript安全问题 [英] Javascript Security Concern
问题描述
在我之前的问题中:
确保javascript游戏时间安全
...很明显,Javascript / Canvas游戏中的客户端计时根本不安全。我知道关于不信任客户的口头禅 - 这就是我首先引起斗争的原因。 : - )
... it became clear that client-side timing in a Javascript/Canvas game simply won't be secure. I know the mantra about not trusting the client - that is what is causing my struggle in the first place. :-)
因此,如果我确实将所有时间移动到服务器并处理它,这是一个后续问题。游戏显然需要在提交之前完成。由于游戏拼图都是Javascript,这引入了操纵客户端代码以假冒游戏完成的问题。
So, if I do move all timing to the server and just deal with it, here is a follow-up question. The game obviously needs to be completed before submitting it. As the game puzzle is all Javascript, this introduces the problem of manipulating the client-side code to fake the completion of the game.
我已经创建了游戏JS代码在一个单独的类文件中。如果我实例化游戏:
I've created the game JS code in a separate class file. If I instantiate the game as such:
var game;
$document.ready(function(){
game = new Game();
});
...然后,我可以通过游戏对象及其所有方法和变量访问控制台。
... then, I can access the 'game' object and all of its methods and variables via the console.
但是,如果我这样做:
$document.ready(function(){
var game = new Game();
});
...然后我无法通过控制台访问游戏对象。这似乎有所帮助,但有一些我不知道的东西 - 这个对象是否仍然可以以某种方式访问我不知道或者是否使该函数中的私有变量更加安全?
... then I cannot access the 'game' object through the console. This seems to help, but is there something I don't know - can this object still be accessed in some way I don't know about or is making it a private var in that function a little more secure?
谢谢!
推荐答案
不要过多关心控制台。是的,如果有全局对象的方法很容易被触发以赢游戏,那么欺骗是一个很好的可能性,但是当你演示时它很容易被阻止。
Don't care too much about the console. Yes, if there are global objects whose method can easily be fired to "win" the game, it's a nice possibility to cheat, but it can easily prevented as you demonstrated.
因此,黑客只会监听(查看网络窗格)向您的服务器发出的请求并手动触发它们。如果他们只是一些简单的网址,如 / action = start 和 / action = end ,他可以轻松解雇他们手动没有任何时间。因此,您需要预防(尽管您永远无法真正确保安全),例如通过添加其他凭据令牌。或者你可以在游戏代码中嵌入一些秘密,这些秘密在游戏过程中被揭示,并且需要被发送到服务器以证明合法性。当然,他们可以从你的代码中读出来,但你必须让黑客太复杂。这有点像默默无闻的安全性 ......
So, the hacker would just listen (look at the network pane) which requests are made to your server and fire them manually. If they were just some simple urls like /action=start and /action=end, he could very easily fire them manually without any timing. So you will need to prevent that (although you never can really make it safe), e.g. by adding additional credential tokens. Or you could embed some "secret"(s) into the game code, which are revealed during the gameplay, and need to be sent to the server to prove the rightfulness. Of course they could be read out of your code, but you have to make it too complicated for the hacker. It's a bit like security by obscurity…
这篇关于Javascript安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
