Jump to content

Archived

This topic is now archived and is closed to further replies.

imperialized

PHP and Tamper Data plug in

Recommended Posts

Ok, well I have been using a php arcade script to allow my users to play games on my website. However, I was recently informed of a program called "Tamper Data" a plug in for firefox, which allowed users to change the scores that were being passed to the server..

 

is there any way to prevent such info from being changed? Or rather, how do you check to ensure that the information was not altered

Share this post


Link to post
Share on other sites

usually firefox extensions are accessible through javascript

 

if you look up the documentation on tamper data you might find a way to locate it..

 

but that only works if javascript is enabled..

 

probably you could impliment a sort of ticketing system where everytime a score is sent, generate a new random number, and have your server send that random number back to the game, then have php expect that random number on the next sent scores..

 

this way tamper data will most likely not be able to retrieve and send this unique number, thus rendering it useless

Share this post


Link to post
Share on other sites

I don't know that sending and saving a random number would do the trick. The problem would lie here:

 

Say a user (1) is playing a game (already loaded the page)    while another user has just submitted a score. The user (1) then tries to send his score, his number wouldnt match the number the server expected because he  parsed the page prior to the new number being set.

Share this post


Link to post
Share on other sites

did you make these games, or do you have atleast the FLAs of these games?

 

this way you could just trash the scores in the flash app.. so when the tamper data tries to re-send the last person's score..

 

the last person's score is non-existant

Share this post


Link to post
Share on other sites

Your other option, and I am not sure how this works with flash as I never use flash, is to encrypt the scores with a key via the flash then on the php side decrypt them. That way they have to know what your key is to fake the scores.

 

Like I said, I have no clue how this would work with flash, maybe you can find a flash/php encrypt/decrypt function?

Share this post


Link to post
Share on other sites

No, I don't write any of the games. The games are from IPB arcade (games written to be used with that forum)  I have access to all other elements, aside from what happens within the flash game itself.

Share this post


Link to post
Share on other sites

No, I don't write any of the games. The games are from IPB arcade (games written to be used with that forum)   I have access to all other elements, aside from what happens within the flash game itself.

 

I think you are out of luck then. I do not know how you would stop that without being able to code for it. If you can detect the use of tamper, that would be one thing. But I do not think you can.

Share this post


Link to post
Share on other sites

Do you think there would be a way to capture the score before the user had a chance to change it?

 

If thats the case, I could use a hash on the score to check it.

 

For example:

a = real score

b = fake score

 

md5(a) = x

if md5(a) = x    -- score is real

 

if they passed b through

md5(b) = x  -- it would not pass b/c the hash would be different....

 

 

...pondering

Share this post


Link to post
Share on other sites

if it works than it works.. but md5 is a 1-way-hash so you can't recover the hash lol

Share this post


Link to post
Share on other sites

the problem is, I dont think I can catch the score before the tamper program would..

 

What im saying is, capture the score, create the hash

 

Pass the score and the hash to the verification..

 

the score, if changed, would not pass the verification of comparing it to the hash. I wouldnt need to recover the hash, just compare it to the score that was passed... I dont think this would be possible though

Share this post


Link to post
Share on other sites

do you have the tamper data plugin? installed on your firefox?

 

if so you could do a simple differenciation between when data tampering occures, and a legitimate request..

 

E.G.

 

comparing

 

$_SERVER

$_GET

$_POST

 

print_r() these and then post them here

 

1 set for tampered data, and 1 for legit request

 

or add me to msn and I could help you in a more realtime mannar

 

RussellonMSN [AT] hotmail.com

Share this post


Link to post
Share on other sites

//Original untouched. 

 

In the following order:

$_POST

$_SESSION

$_SERVER

 

 

~ gname: throwme

~ gscore: 32

 

 

 

~ CONTENT_LENGTH: 23

~ CONTENT_TYPE: application/x-www-form-urlencoded

~ DOCUMENT_ROOT: /home/jaymartin/domains/imperialized.com/public_html

~ HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

~ HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7

~ HTTP_ACCEPT_ENCODING: gzip,deflate

~ HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5

~ HTTP_CACHE_CONTROL: max-age=0

~ HTTP_CONNECTION: keep-alive

~ HTTP_COOKIE: gname=throwme; valid_user=David; phpqa_user_c=David; phpqa_user_p=81e546567d978740ee728053adf65275; PHPSESSID=2bbc7afc848e083a1645927dd864f7c3

~ HTTP_HOST: www.imperialized.com

~ HTTP_KEEP_ALIVE: 300

~ HTTP_REFERER: http://www.imperialized.com/arcade/Arcade.php?play=throwme

~ HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

~ PATH: /etc:/bin:/sbin:/usr/bin:/usr/sbin

~ REMOTE_ADDR: 76.125.203.130

~ REMOTE_PORT: 2876

~ SCRIPT_FILENAME: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ SERVER_ADDR: 204.13.53.2

~ SERVER_ADMIN: webmaster@imperialized.com

~ SERVER_NAME: www.imperialized.com

~ SERVER_PORT: 80

~ SERVER_SIGNATURE:

Apache/1.3.37 Server at www.imperialized.com Port 80

 

~ SERVER_SOFTWARE: Apache/1.3.37 (Unix) PHP/5.2.3 mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 FrontPage/5.0.2.2510

~ GATEWAY_INTERFACE: CGI/1.1

~ SERVER_PROTOCOL: HTTP/1.1

~ REQUEST_METHOD: POST

~ QUERY_STRING: act=Arcade&do=newscore

~ REQUEST_URI: /arcade/index.php?act=Arcade&do=newscore

~ SCRIPT_NAME: /arcade/index.php

~ PATH_TRANSLATED: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ PHP_SELF: /arcade/index.php

~ REQUEST_TIME: 1232263241

[argv]

  |~ 0: act=Arcade&do=newscore

~ argc: 1

 

 

 

// This is the tampered info

 

~ gname: throwme

~ gscore: 9999999

 

 

 

 

 

 

~ CONTENT_LENGTH: 28

~ CONTENT_TYPE: application/x-www-form-urlencoded

~ DOCUMENT_ROOT: /home/jaymartin/domains/imperialized.com/public_html

~ HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

~ HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7

~ HTTP_ACCEPT_ENCODING: gzip,deflate

~ HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5

~ HTTP_CONNECTION: keep-alive

~ HTTP_COOKIE: gname=throwme; valid_user=David; phpqa_user_c=David; phpqa_user_p=81e546567d978740ee728053adf65275; PHPSESSID=2bbc7afc848e083a1645927dd864f7c3

~ HTTP_HOST: www.imperialized.com

~ HTTP_KEEP_ALIVE: 300

~ HTTP_REFERER: http://www.imperialized.com/arcade/Arcade.php?play=throwme

~ HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

~ PATH: /etc:/bin:/sbin:/usr/bin:/usr/sbin

~ REMOTE_ADDR: 76.125.203.130

~ REMOTE_PORT: 2905

~ SCRIPT_FILENAME: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ SERVER_ADDR: 204.13.53.2

~ SERVER_ADMIN: webmaster@imperialized.com

~ SERVER_NAME: www.imperialized.com

~ SERVER_PORT: 80

~ SERVER_SIGNATURE:

Apache/1.3.37 Server at www.imperialized.com Port 80

 

~ SERVER_SOFTWARE: Apache/1.3.37 (Unix) PHP/5.2.3 mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 FrontPage/5.0.2.2510

~ GATEWAY_INTERFACE: CGI/1.1

~ SERVER_PROTOCOL: HTTP/1.1

~ REQUEST_METHOD: POST

~ QUERY_STRING: act=Arcade&do=newscore

~ REQUEST_URI: /arcade/index.php?act=Arcade&do=newscore

~ SCRIPT_NAME: /arcade/index.php

~ PATH_TRANSLATED: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ PHP_SELF: /arcade/index.php

~ REQUEST_TIME: 1232263314

[argv]

  |~ 0: act=Arcade&do=newscore

~ argc: 1

 

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.