Just wanted to bring the issue up to you guys after finding it. To go further on it, I would have it produce the obfuscated names randomly on each load of the game script so they're not easily referred to. Second I would try obfuscating all variable names that you can, especially the class definitions like EntityPlayer.
MANYLAND CHANGE SUB AREA URL CODE
Even if you left all your code in plain text, any modification someone tried to make from the client would be seen, verified, and handled accordingly by the server. I would suggest first and foremost to do the server side checks. The second thing I see is just obfuscating the code more.
Now the player can super jump and the server is fine with it (verified by numerous 'holy sh !' and 'wtf!?' comments from other players). To change player jump height for example, all it would take is this piece of JavaScript: It was also easy, for the most part, to identify what certain variables did as they were in plain text. Once the player object was found, it's easy to modify the variables and the world (server side) accepts it. This name for this player object is also static for every game instance, so it's easily referred to every time. I only tested this out on the player object as a PoC, but it only takes changing a variable within the player object to modify things like player speed, mountable craft speed, etc.įor instance, while you obfuscated the name of the player object within the ig.game object, it was easily found by checking for modifications to the health variable, where another function listed it as ig.game.O1376. Probably the biggest issue I see is the lack of server side checks against changes coming from the client. I wanted to notify you guys though of some security flaws within the game. Saw this posted over on PH and checked it out, extremely impressive game and I'm sure there's a ton of dev time on this.
0 kommentar(er)
