Humanity Project

Review - Trusting the client?

Bug #685940 reported by XavierAntoviaque
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Humanity Project
Won't Fix
High
Vlad Dragu
Humanity Project alpha2.2

Bug Description

Why do you access a GET variable to get the hack results in
FirstMission, instead of using an object property? This relates to a
part of the codebase that I don't know very well, so I'm unsure. You
never trust anything that directly comes from the client, right?

Revision history for this message
XavierAntoviaque (xavier-antoviaque) wrote :

From the discussion:

> [vlad] that GET var is not coming from client input. When the player
> does an action in the game, i use an ajax call to alert the mission
> engine that an action has been taken. The ajax call is a post call
> actually and that's where the var comes from. I get the hack results
> from the game session

Could you show me where this is handled in the code? Do you check what
you get from the client ajax call? Even if it is not coming from player
input in the browser, would a player be able to craft an HTTP request
that would make the mission engine believe the hack was a success when
it was actually a failure?

Changed in hackit:
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Vlad Dragu (vlad-dragu)
milestone: none → alpha2.2
Revision history for this message
Vlad Dragu (vlad-dragu) wrote :

It all starts in the hackit.js file.
On lines 692 and 724 a call the function notify_mission with the param hack_fail and hack_success respectively.
in the function (declaration starts on line 299) i split that param into the action "hack" and the result "success" or "fail" which i sent through the POST ajax call.
Those vars i use in the mission.

I assume that someone could forge the request and send a different hack result. But he will have to know the exact composition of parameters to sent and know exactly how the code looks like in order to be able to exploit it

Changed in hackit:
status: Confirmed → Incomplete
Revision history for this message
XavierAntoviaque (xavier-antoviaque) wrote :

You would be surprised how smart players can be about those things :) Even on the proprietary games on which I've worked, where people don't have access to the code or even the server executables, they still manage to forge this type of requests, just by sniffing the communication between the client and the server.

Here, because it's ajax code, they can simply read the source file and figure it out. The golden rule of "never trusting the client" applies even more in our case.

Changed in hackit:
status: Incomplete → Confirmed
Revision history for this message
Vlad Dragu (vlad-dragu) wrote :

I changed the approach. Right now i rely on the last action registered in the actions table in order to compare it with the active actions queue.
I did the implementation and pushed to the repository but i cannot really test it because the frontend of the missions is not working anymore. I know you did some modifications to it, are you still working on that part of code?

Changed in hackit:
status: Confirmed → Incomplete
XavierAntoviaque (xavier-antoviaque)
Changed in hackit:
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.