PHP and Tamper Data plug in

[imperialized]

Ok, well I have been using a php arcade script to allow my users to play games on my website. However, I was recently informed of a program called "Tamper Data" a plug in for firefox, which allowed users to change the scores that were being passed to the server..

 

is there any way to prevent such info from being changed? Or rather, how do you check to ensure that the information was not altered

[RussellReal]

usually firefox extensions are accessible through javascript

 

if you look up the documentation on tamper data you might find a way to locate it..

 

but that only works if javascript is enabled..

 

probably you could impliment a sort of ticketing system where everytime a score is sent, generate a new random number, and have your server send that random number back to the game, then have php expect that random number on the next sent scores..

 

this way tamper data will most likely not be able to retrieve and send this unique number, thus rendering it useless

[imperialized]

I don't know that sending and saving a random number would do the trick. The problem would lie here:

 

Say a user (1) is playing a game (already loaded the page)    while another user has just submitted a score. The user (1) then tries to send his score, his number wouldnt match the number the server expected because he  parsed the page prior to the new number being set.

[RussellReal]

Is this a flash game by any chance?

[imperialized]

Yea, it is php Quick Arcade (using flash games and mysql)

[RussellReal]

did you make these games, or do you have atleast the FLAs of these games?

 

this way you could just trash the scores in the flash app.. so when the tamper data tries to re-send the last person's score..

 

the last person's score is non-existant

[premiso]

Your other option, and I am not sure how this works with flash as I never use flash, is to encrypt the scores with a key via the flash then on the php side decrypt them. That way they have to know what your key is to fake the scores.

 

Like I said, I have no clue how this would work with flash, maybe you can find a flash/php encrypt/decrypt function?

[imperialized]

No, I don't write any of the games. The games are from IPB arcade (games written to be used with that forum)  I have access to all other elements, aside from what happens within the flash game itself.

[premiso]

No, I don't write any of the games. The games are from IPB arcade (games written to be used with that forum)   I have access to all other elements, aside from what happens within the flash game itself.

 

I think you are out of luck then. I do not know how you would stop that without being able to code for it. If you can detect the use of tamper, that would be one thing. But I do not think you can.

[imperialized]

Do you think there would be a way to capture the score before the user had a chance to change it?

 

If thats the case, I could use a hash on the score to check it.

 

For example:

a = real score

b = fake score

 

md5(a) = x

if md5(a) = x    -- score is real

 

if they passed b through

md5(b) = x  -- it would not pass b/c the hash would be different....

 

 

...pondering

[RussellReal]

if it works than it works.. but md5 is a 1-way-hash so you can't recover the hash lol

[imperialized]

the problem is, I dont think I can catch the score before the tamper program would..

 

What im saying is, capture the score, create the hash

 

Pass the score and the hash to the verification..

 

the score, if changed, would not pass the verification of comparing it to the hash. I wouldnt need to recover the hash, just compare it to the score that was passed... I dont think this would be possible though

[RussellReal]

do you have the tamper data plugin? installed on your firefox?

 

if so you could do a simple differenciation between when data tampering occures, and a legitimate request..

 

E.G.

 

comparing

 

$_SERVER

$_GET

$_POST

 

print_r() these and then post them here

 

1 set for tampered data, and 1 for legit request

 

or add me to msn and I could help you in a more realtime mannar

 

RussellonMSN [AT] hotmail.com

[imperialized]

//Original untouched. 

 

In the following order:

$_POST

$_SESSION

$_SERVER

 

 

~ gname: throwme

~ gscore: 32

 

 

 

~ CONTENT_LENGTH: 23

~ CONTENT_TYPE: application/x-www-form-urlencoded

~ DOCUMENT_ROOT: /home/jaymartin/domains/imperialized.com/public_html

~ HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

~ HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7

~ HTTP_ACCEPT_ENCODING: gzip,deflate

~ HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5

~ HTTP_CACHE_CONTROL: max-age=0

~ HTTP_CONNECTION: keep-alive

~ HTTP_COOKIE: gname=throwme; valid_user=David; phpqa_user_c=David; phpqa_user_p=81e546567d978740ee728053adf65275; PHPSESSID=2bbc7afc848e083a1645927dd864f7c3

~ HTTP_HOST: www.imperialized.com

~ HTTP_KEEP_ALIVE: 300

~ HTTP_REFERER: http://www.imperialized.com/arcade/Arcade.php?play=throwme

~ HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

~ PATH: /etc:/bin:/sbin:/usr/bin:/usr/sbin

~ REMOTE_ADDR: 76.125.203.130

~ REMOTE_PORT: 2876

~ SCRIPT_FILENAME: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ SERVER_ADDR: 204.13.53.2

~ SERVER_ADMIN: webmaster@imperialized.com

~ SERVER_NAME: www.imperialized.com

~ SERVER_PORT: 80

~ SERVER_SIGNATURE:

Apache/1.3.37 Server at www.imperialized.com Port 80

 

~ SERVER_SOFTWARE: Apache/1.3.37 (Unix) PHP/5.2.3 mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 FrontPage/5.0.2.2510

~ GATEWAY_INTERFACE: CGI/1.1

~ SERVER_PROTOCOL: HTTP/1.1

~ REQUEST_METHOD: POST

~ QUERY_STRING: act=Arcade&do=newscore

~ REQUEST_URI: /arcade/index.php?act=Arcade&do=newscore

~ SCRIPT_NAME: /arcade/index.php

~ PATH_TRANSLATED: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ PHP_SELF: /arcade/index.php

~ REQUEST_TIME: 1232263241

[argv]

  |~ 0: act=Arcade&do=newscore

~ argc: 1

 

 

 

// This is the tampered info

 

~ gname: throwme

~ gscore: 9999999

 

 

 

 

 

 

~ CONTENT_LENGTH: 28

~ CONTENT_TYPE: application/x-www-form-urlencoded

~ DOCUMENT_ROOT: /home/jaymartin/domains/imperialized.com/public_html

~ HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

~ HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7

~ HTTP_ACCEPT_ENCODING: gzip,deflate

~ HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5

~ HTTP_CONNECTION: keep-alive

~ HTTP_COOKIE: gname=throwme; valid_user=David; phpqa_user_c=David; phpqa_user_p=81e546567d978740ee728053adf65275; PHPSESSID=2bbc7afc848e083a1645927dd864f7c3

~ HTTP_HOST: www.imperialized.com

~ HTTP_KEEP_ALIVE: 300

~ HTTP_REFERER: http://www.imperialized.com/arcade/Arcade.php?play=throwme

~ HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

~ PATH: /etc:/bin:/sbin:/usr/bin:/usr/sbin

~ REMOTE_ADDR: 76.125.203.130

~ REMOTE_PORT: 2905

~ SCRIPT_FILENAME: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ SERVER_ADDR: 204.13.53.2

~ SERVER_ADMIN: webmaster@imperialized.com

~ SERVER_NAME: www.imperialized.com

~ SERVER_PORT: 80

~ SERVER_SIGNATURE:

Apache/1.3.37 Server at www.imperialized.com Port 80

 

~ SERVER_SOFTWARE: Apache/1.3.37 (Unix) PHP/5.2.3 mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 FrontPage/5.0.2.2510

~ GATEWAY_INTERFACE: CGI/1.1

~ SERVER_PROTOCOL: HTTP/1.1

~ REQUEST_METHOD: POST

~ QUERY_STRING: act=Arcade&do=newscore

~ REQUEST_URI: /arcade/index.php?act=Arcade&do=newscore

~ SCRIPT_NAME: /arcade/index.php

~ PATH_TRANSLATED: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ PHP_SELF: /arcade/index.php

~ REQUEST_TIME: 1232263314

[argv]

  |~ 0: act=Arcade&do=newscore

~ argc: 1

 

[RussellReal]

would be nice if you came back on msn lol