Jump to content

PHP and Tamper Data plug in


imperialized

Recommended Posts

Ok, well I have been using a php arcade script to allow my users to play games on my website. However, I was recently informed of a program called "Tamper Data" a plug in for firefox, which allowed users to change the scores that were being passed to the server..

 

is there any way to prevent such info from being changed? Or rather, how do you check to ensure that the information was not altered

Link to comment
Share on other sites

usually firefox extensions are accessible through javascript

 

if you look up the documentation on tamper data you might find a way to locate it..

 

but that only works if javascript is enabled..

 

probably you could impliment a sort of ticketing system where everytime a score is sent, generate a new random number, and have your server send that random number back to the game, then have php expect that random number on the next sent scores..

 

this way tamper data will most likely not be able to retrieve and send this unique number, thus rendering it useless

Link to comment
Share on other sites

I don't know that sending and saving a random number would do the trick. The problem would lie here:

 

Say a user (1) is playing a game (already loaded the page)    while another user has just submitted a score. The user (1) then tries to send his score, his number wouldnt match the number the server expected because he  parsed the page prior to the new number being set.

Link to comment
Share on other sites

Your other option, and I am not sure how this works with flash as I never use flash, is to encrypt the scores with a key via the flash then on the php side decrypt them. That way they have to know what your key is to fake the scores.

 

Like I said, I have no clue how this would work with flash, maybe you can find a flash/php encrypt/decrypt function?

Link to comment
Share on other sites

No, I don't write any of the games. The games are from IPB arcade (games written to be used with that forum)   I have access to all other elements, aside from what happens within the flash game itself.

 

I think you are out of luck then. I do not know how you would stop that without being able to code for it. If you can detect the use of tamper, that would be one thing. But I do not think you can.

Link to comment
Share on other sites

Do you think there would be a way to capture the score before the user had a chance to change it?

 

If thats the case, I could use a hash on the score to check it.

 

For example:

a = real score

b = fake score

 

md5(a) = x

if md5(a) = x    -- score is real

 

if they passed b through

md5(b) = x  -- it would not pass b/c the hash would be different....

 

 

...pondering

Link to comment
Share on other sites

the problem is, I dont think I can catch the score before the tamper program would..

 

What im saying is, capture the score, create the hash

 

Pass the score and the hash to the verification..

 

the score, if changed, would not pass the verification of comparing it to the hash. I wouldnt need to recover the hash, just compare it to the score that was passed... I dont think this would be possible though

Link to comment
Share on other sites

do you have the tamper data plugin? installed on your firefox?

 

if so you could do a simple differenciation between when data tampering occures, and a legitimate request..

 

E.G.

 

comparing

 

$_SERVER

$_GET

$_POST

 

print_r() these and then post them here

 

1 set for tampered data, and 1 for legit request

 

or add me to msn and I could help you in a more realtime mannar

 

RussellonMSN [AT] hotmail.com

Link to comment
Share on other sites

//Original untouched. 

 

In the following order:

$_POST

$_SESSION

$_SERVER

 

 

~ gname: throwme

~ gscore: 32

 

 

 

~ CONTENT_LENGTH: 23

~ CONTENT_TYPE: application/x-www-form-urlencoded

~ DOCUMENT_ROOT: /home/jaymartin/domains/imperialized.com/public_html

~ HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

~ HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7

~ HTTP_ACCEPT_ENCODING: gzip,deflate

~ HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5

~ HTTP_CACHE_CONTROL: max-age=0

~ HTTP_CONNECTION: keep-alive

~ HTTP_COOKIE: gname=throwme; valid_user=David; phpqa_user_c=David; phpqa_user_p=81e546567d978740ee728053adf65275; PHPSESSID=2bbc7afc848e083a1645927dd864f7c3

~ HTTP_HOST: www.imperialized.com

~ HTTP_KEEP_ALIVE: 300

~ HTTP_REFERER: http://www.imperialized.com/arcade/Arcade.php?play=throwme

~ HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

~ PATH: /etc:/bin:/sbin:/usr/bin:/usr/sbin

~ REMOTE_ADDR: 76.125.203.130

~ REMOTE_PORT: 2876

~ SCRIPT_FILENAME: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ SERVER_ADDR: 204.13.53.2

~ SERVER_ADMIN: webmaster@imperialized.com

~ SERVER_NAME: www.imperialized.com

~ SERVER_PORT: 80

~ SERVER_SIGNATURE:

Apache/1.3.37 Server at www.imperialized.com Port 80

 

~ SERVER_SOFTWARE: Apache/1.3.37 (Unix) PHP/5.2.3 mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 FrontPage/5.0.2.2510

~ GATEWAY_INTERFACE: CGI/1.1

~ SERVER_PROTOCOL: HTTP/1.1

~ REQUEST_METHOD: POST

~ QUERY_STRING: act=Arcade&do=newscore

~ REQUEST_URI: /arcade/index.php?act=Arcade&do=newscore

~ SCRIPT_NAME: /arcade/index.php

~ PATH_TRANSLATED: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ PHP_SELF: /arcade/index.php

~ REQUEST_TIME: 1232263241

[argv]

  |~ 0: act=Arcade&do=newscore

~ argc: 1

 

 

 

// This is the tampered info

 

~ gname: throwme

~ gscore: 9999999

 

 

 

 

 

 

~ CONTENT_LENGTH: 28

~ CONTENT_TYPE: application/x-www-form-urlencoded

~ DOCUMENT_ROOT: /home/jaymartin/domains/imperialized.com/public_html

~ HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

~ HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.7

~ HTTP_ACCEPT_ENCODING: gzip,deflate

~ HTTP_ACCEPT_LANGUAGE: en-us,en;q=0.5

~ HTTP_CONNECTION: keep-alive

~ HTTP_COOKIE: gname=throwme; valid_user=David; phpqa_user_c=David; phpqa_user_p=81e546567d978740ee728053adf65275; PHPSESSID=2bbc7afc848e083a1645927dd864f7c3

~ HTTP_HOST: www.imperialized.com

~ HTTP_KEEP_ALIVE: 300

~ HTTP_REFERER: http://www.imperialized.com/arcade/Arcade.php?play=throwme

~ HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

~ PATH: /etc:/bin:/sbin:/usr/bin:/usr/sbin

~ REMOTE_ADDR: 76.125.203.130

~ REMOTE_PORT: 2905

~ SCRIPT_FILENAME: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ SERVER_ADDR: 204.13.53.2

~ SERVER_ADMIN: webmaster@imperialized.com

~ SERVER_NAME: www.imperialized.com

~ SERVER_PORT: 80

~ SERVER_SIGNATURE:

Apache/1.3.37 Server at www.imperialized.com Port 80

 

~ SERVER_SOFTWARE: Apache/1.3.37 (Unix) PHP/5.2.3 mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 FrontPage/5.0.2.2510

~ GATEWAY_INTERFACE: CGI/1.1

~ SERVER_PROTOCOL: HTTP/1.1

~ REQUEST_METHOD: POST

~ QUERY_STRING: act=Arcade&do=newscore

~ REQUEST_URI: /arcade/index.php?act=Arcade&do=newscore

~ SCRIPT_NAME: /arcade/index.php

~ PATH_TRANSLATED: /home/jaymartin/domains/imperialized.com/public_html/arcade/index.php

~ PHP_SELF: /arcade/index.php

~ REQUEST_TIME: 1232263314

[argv]

  |~ 0: act=Arcade&do=newscore

~ argc: 1

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.