FancyNancy February 2016

Preventing post data forgery

Supose i have a js game, with a score and "publish score" button. This button will send POST request to php script and that script then will add score to the database. The thing is, user can see in the browser to what page app is sending post data, hence he can forge it by sending any number he can come up with. This is like CRSF, but the token won't help, because user can see it too. I've been thinking about this problem for a while and haven't came up with any 100% working solution.

Answers


Soundz February 2016

Everything you do on the client can't be trusted.

I'd try to add my own little encryption which can be reversed by me. I guess even something basic like displaying numbers as chars, 1 = F, 2=p, etc... and by adding some random junk to make a string like asdzf7erwhbrdfm0[encryptedscore]0jkfsdgfadsegajband then removing everything between the zeroes.

Post Status

Asked in February 2016
Viewed 2,070 times
Voted 6
Answered 1 times

Search




Leave an answer