What did I Learn While Making a Game with vanilla HTML, CSS and Javascript

这篇具有很好参考价值的文章主要介绍了What did I Learn While Making a Game with vanilla HTML, CSS and Javascript。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

Those of you who don't know, I recently made a game with the vanilla stack, i.e pure HTML, CSS and JavaScript. After launching this game I came to know about some vulnerabilities of a web app made with pure HTML, CSS and JavaScript.

A. People can change the code: The bug which mostly annoyed me after releasing the game is that using the really powerful Chrome Dev Tools, people can access and change my code really easily. What people were using this for is:

a. Making the score variable to increment by a huge number for a correct answer, so that they can claim to get a ridiculously high score and flex on the others. In my game, this is more prominent as there is a global leaderboard.

What did I Learn While Making a Game with vanilla HTML, CSS and Javascript,html,css,javascript

This can also be done by the debugger tools provided by Google Chrome which can insert a breakpoint in the code at a certain line(specifically where the score is being incremented) and can change the variable from the console simply.

What did I Learn While Making a Game with vanilla HTML, CSS and Javascript,html,css,javascript

b. This one is not really related to changing the code, but, as people could see my JavaScript so it was easy for them to get the backend URL and send a request via any REST client like postman or insomnia and set their high score even without playing the game.

The solutions I came up with can't completely ensure that your code will be completely secure, but it can throw off such "hackers":

a. Minifying the code: Minifying the JavaScript code will make it to appear on one line. But Chrome has a tool to beautify the minified JavaScript:

What did I Learn While Making a Game with vanilla HTML, CSS and Javascript,html,css,javascript

So, Chrome Dev Tools apparently allow you to pretty-print the minified code, which defeats the purpose of the minifying for discouraging "hackers". But you should always minify your code for the production of big apps for faster loading time.

b. Obfuscating the code: One of the biggest mistakes I made after the first beta release of my code is to switch to a module-based approach for coding this game(a post on module based javascript on the web by me is under process) and I found it a bit difficult and not worth it to obfuscate my code without breaking it in some way or other. That thing aside, let's see how an obscurification looks like:

Normal code:

let a = 10
let b = 20
c = a+b
console.log(`${a},${b},${c}`)

obfuscated code:

var _0x27ea=function(s,h){return eval(String.fromCharCode(115,32,43,32,104));}(eval(String.fromCharCode(49,55,54,49,49,49,32,94,32,49,55,54,49,48,55)),eval(String.fromCharCode(51,56,50,51,49,56,32,94,32,51,56,50,51,49,56)));let a=function(s,h){return eval(String.fromCharCode(115,32,94,32,104));}(780093,780087);_0x27ea=function(){return"_0xb77c39314";}();let b=function(s,h){return eval(String.fromCharCode(115,32,94,32,104));}(937835,937855);c=eval(String.fromCharCode(97,32,43,32,98));console['\x6c\x6f\x67'](`${a},${b},${c}`);

This might look gibberish, but if you minutely check it, trained eyes can still find the original code and change it. But obfuscation can be done to protect your Javascript code from others. If you want to know more about obfuscating code you can use js obfuscator

c. Another solution to this client-side vulnerability will be to use some backend to process and store the score, which will:

  1. Make a ton of request to the backend which is not acceptable for any production level app.

  2. Will make the game unusable offline, which I don't want to happen.

d. To prevent the high score from being a ridiculous amount sent by the client using the exploits, I set up a barrier for the high score so that any score above that will be rejected by the system.

B. People can get your API and randomly request your backend to store new things: In this app, I relied on a small express based backend to store the scores from people. So, once they know the URL of the API they can use an API client to send the result to the server and store it. For larger apps having an API key in the client-side can cause data leak from your database.

The potential solution will be to keep a secret as HTTP only cookie and ask for it on each POST request so that it can validate if the connection is from an actual browser or not. Or otherwise, you can have a look at the user-agent header which often contain the details of the browsers being used.文章来源地址https://www.toymoban.com/news/detail-852028.html

到了这里,关于What did I Learn While Making a Game with vanilla HTML, CSS and Javascript的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0. 解决办法

    今天编译一个之前在家里打包的项目 然后发现公司的电脑编译不过 问题如下 Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0. You can use \\\'--warning-mode all\\\' to show the individual deprecation warnings and determine if they come from your own scripts or plugins. See https://docs.gradle.org/

    2024年02月13日
    浏览(46)
  • 基于Django Channels框架和JavaScript WebSockets实现 Making a Chat Application With Django Channels and Java

    作者:禅与计算机程序设计艺术 在本文中,我们将建立一个基于Django Channels框架和JavaScript WebSockets库实现的实时聊天系统,这个系统会让用户之间可以进行即时沟通,聊天室功能强大且实用。通过这个项目,你将学习到Django Channels框架的一些特性,并且能够熟练掌握WebSocke

    2024年02月07日
    浏览(39)
  • Learn HTML in 1 hour

    https://www.youtube.com/watch?v=HD13eq_Pmp8 All right, what’s going on? everybody. It’s your Bro, hope you’re doing well, and in this video I’m going to help you started with html; so sit back, relax and enjoy the show. If you wouldn’t mind, like,comment and subscribe, one like equals one prayer for the youtube algorithm. I’m gonna tell you why y

    2024年02月21日
    浏览(26)
  • pinia报错:getActivePinia was called with no active Pinia. Did you forget to install pinia?

    项目:vue3+pinia+vite+element-plus pinia.mjs:1692 Uncaught Error: [🍍]: getActivePinia was called with no active Pinia. Did you forget to install pinia? 错误:在没有激活Pinia的情况下调用getActivePinia。 报错代码:login.ts文件下 报错位置:login.ts文件执行位置: layout组件中。 报错:在没有激活Pinia的情况下调

    2024年02月05日
    浏览(38)
  • error: subprocess-exited-with-error × python setup.py egg_info did not run successfully.报错

    报错的具体信息: 网上找的改正方法是: pip install --upgrade setuptools 但是不行,最后仔细看了报错信息,谜底就在谜面上啊!Here is how to fix this error in the main use cases:这一行给出了修补方法,我直接简单粗暴整最后一个。 在环境中加入SKLEARN_ALLOW_DEPRECATED_SKLEARN_PACKAGE_INSTALL=True这

    2024年01月19日
    浏览(51)
  • [plugin:vite:css] Preprocessor dependency “sass“ not found. Did you install it?

    [plugin:vite:css] Preprocessor dependency “sass” not found. Did you install it? 安装node-sass 或 sass 就可以解决 不安装的话就去除style中的lang属性 方法一: 方法二: 方法三:去除style中的lang属性 我这里用的是方法二,安装“npm install sass --save-dev”,安装成功后再启动项目,就成功了。

    2024年02月16日
    浏览(48)
  • azure-cognitiveservices-speech api error while using with AWS Lambda

    1.在mac上安装 正常运行没有问题,服务部署到docker 容器中后调用Azure语音评估服务报错 Cancellation Reason 初始化平台失败 2.解决方案,变更 azure-cognitiveservices-speech 版本为 1.18 再次调用服务,完美解决

    2024年02月15日
    浏览(37)
  • 论文笔记--Increasing Diversity While Maintaining Accuracy: Text Data Generation with Large Language Mode

    标题:Increasing Diversity While Maintaining Accuracy: Text Data Generation with Large Language Models and Human Interventions 作者:John Joon Young Chung, Ece Kamar, Saleema Amershi 日期:2023   文章给出了一种基于LLM自动生成训练数据的方法,且通过不同的实验设置尝试增加生成数据的多样性而又不降低数据

    2024年02月03日
    浏览(45)
  • [USF-XSim-62] ‘elaborate‘ step failed with errors.[Vivado 12-4473] Detected error while running sim

    出现的问题如下: 翻译出来:[USF-XSim-62] \\\'elaborate’步骤失败,出现错误。请检查Tcl控制台输出或’D:/vivado/fortest/fortest.sim/sim_1/behav/xsim/ elaboration .log’文件以获取更多信息。 [Vivado 12-4473] 运行模拟时检测到错误请纠正此问题并重试此操作。 方法一 :在Vivado 中的Messages无法看到

    2024年02月15日
    浏览(31)
  • 关于Minio性能优化 A timeout exceeded while waiting to proceed with the request, please reduce your request

    具体报错:A timeout exceeded while waiting to proceed with the request, please reduce your request 经查阅资料,有4种解决方案 查阅文献: https://www.oomake.com/question/17229356 https://www.nuomiphp.com/t/6254af8578e87f77ee3d038c.html https://www.hxstrive.com/subject/minio/673.htm https://github.com/minio/minio/tree/master/docs/config#ap

    2024年02月16日
    浏览(51)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包