Supose i have a js game, with a score and "publish score" button. This button will send POST request to php script and that script then will add score to the database. The thing is, user can see in the browser to what page app is sending post data, hence he can forge it by sending any number he can come up with. This is like CRSF, but the token won't help, because user can see it too. I've been thinking about this problem for a while and haven't came up with any 100% working solution.
I'd try to add my own little encryption which can be reversed by me.
I guess even something basic like displaying numbers as chars, 1 = F, 2=p, etc... and by adding some random junk to make a string like asdzf7erwhbrdfm0[encryptedscore]0jkfsdgfadsegajband then removing everything between the zeroes.
Asked in February 2016Viewed 2,070 timesVoted 6Answered 1 times