Learn to Code via Tutorials on Repl.it!

← Back to all posts
A brief explanation on how to exploit the glory of scope in JavaScript
h
Baconman321 (555)

@persassy2109 This is for you (and the rest of you all who don't know the wonders of scope).

DISCLAIMER:

There exists a way to get around this in devtools. Of course, the average person playing your game (unless you post it in a coding group like this website...) will not know how to access it at all. Of course, it offers some protection to noobs (like me) who don't know how to use devtools correctly.

Even so, it is a good idea to wrap code in an IIFE to prevent polluting global scope (which I don't think the scripts themselves can travel into scopes) especially if you are importing external scripts (which still should either be a module or be inside an IIFE themselves). Since JavaScript is executed on client-side, the user can see both the source code of your application and be able to manipulate the code either with devtools or something else.

DO NOT USE JAVASCRIPT TO HANDLE SENSITIVE INFORMATION...EVER!!!

Anyways, moving on...

You just made a game...

"OOH, I just made a new game, it's so nice! I made high scores and everything! But, oh... wait! Someone got a score of infinity! How is that possible??? I'VE BEEN HACKED, HOW IS THIS POSSIBLE?!"
Easy, you just call the function that sets the high score and pass in infinity. I'm disappointed that people today don't know how to exploit scope in JavaScript. What's next, y'all won't know how to use private methods (actually I've never even touched a class outside of JavaScript, but I still know what that is!)?
Today guys (and girls, gotta include everyone), I will show you how to prevent (for the most part) exploits by devtools (or other console tools). Note that this is not 100% efficient and you still should follow all other rule of thumbs for making a safe and secure game (like anti-XSS methods. Actually if you unwillingly allow XSS the point of this tutorial could be made useless). Well, let's get into it then! Onward.

Did you know JavaScript has classes? Pretty cool right?!
A teeny tiny problem though, it doesn't support private methods or values! Now anyone can access those methods and change the values (like Player.playerSpeed for example)... right?
Yep.
"Oh, no! How do I fix this?!", you might say.
While JavaScript may not support private methods (method is a fancy word for a function inside a class or object) or values, you can always make them private because of this one thing (a wonderful thing) called scope!
Note that I include very simple examples here because I, too am fairly new to this. Anyways, Onward Ho!

Now, imagine you have a game. In your game you have a Player object that stores and controls information on the player. You have a Player.setSpeed() method that you use for when the player gets a speed power-up. You post it on repl share, and it gets trending! But then, oh! Kobeff (sorry kobe, just teasin u ;D) has shown a pic of him modifying the player speed by calling Player.setSpeed() and passing in 1,000. Now he can zip around like flash and pass all the monsters in a breeze!
How do you fix this to prevent the mighty Kobeff (sorry Kobe... again) from Oofing your game? One very simple thing is to wrap all your code in an IIFE (immediately invoked function expression). Here's an example of code wrapped inside an IIFE:

(function(){
   console.log("Look ma, I'm trapped inside a function!");
})();

An immediately invoked function expression is just what it sounds like: a function that is immediately invoked.
"Why might this be of any help to me?" you may ask.
Well, it all has to do with scope.
What is scope?
According to wikipedia:

In computer programming, the scope of a name binding—an association of a name to an entity, such as a variable—is the part of a program where the name binding is valid, that is where the name can be used to refer to the entity.

Wow, even I don't fully understand this? What does it mean?
Imagine you have a safe. It is super locked. Inside the safe, imagine each of the objects came to life. Each object can interact with each other, but another object that came to life outside the safe, say... a tin soldier, can't interact with those people inside the safe. Now, replace the safe with a function and the objects with variables or other storage methods and you got yourselves the meaning of scope.
Devtools interacts with the global scope. Global means the very highest scope. If you define a function in the global scope and you console.log the window object, you will see that that function is bound to the window AKA global scope. But, if you make a function inside a function, that innermost function has the scope of the outer function.

Functions inside a function inherit all the outer function's variables. That is why this is perfectly valid:

let globalVar = "Hello from the global scope!";
function outerFunc(){
   console.log(globalVar);
}
outerFunc();
//Will log "Hello from the global scope!"

However, you cannot access a function's scope from outside of it.

function outerFunc(){
   let secret = "Hehe, I will never be exposed!";
}
console.log(secret);
//Will give "undefined"

Of course, there are exceptions. Remember how I said that a function can inherits all of the outer scope's variables and objects and such?
Well, you can also change the outer scope's variables from inside a function.

let globalVar = "I am global!";
function changeVar(){
   globalVar = "Hehe, I am secret... right?";
}
console.log(globalVar);
//Will log "Hehe, I am secret... right?"

Another thing to note:
since JavaScript allows you to declare variables without a var const or let keywords, you have to watch out for the scoping of declaring a variable without a declaration keyword, because if you declare a variable without a variable declaration keyword (like let or `var), you will automatically bind it to the global scope! For instance

function globalVar(){
   myGlobal = "This is global";
}
globalVar();
console.log(myGlobal);
//Will log "This is global";

Of course, there are probably a few more rules... but that is your daily dose of basic scope understanding.
If you want to read more about scope, try this mozilla article!
Now, go make your game untamperable (ok, somewhat untamperable... don't forget to follow the other security methods)!

Now the mighty kobeff cannot mess with your game

Commentshotnewtop
xxpertHacker (606)

Did you know JavaScript has classes? Pretty cool right?!
A teeny tiny problem though, it doesn't support private methods or values! Now anyone can access those methods and change the values (like Player.playerSpeed for example)... right?

Hmmm... hmmm... because JavaScript doesn't have private methods?

class T {
    static #log = console.log;

    #meth() {
        T.#log("Meth... wait no, that's a drug!");
    }
}

T.#log("Haha, these aren't even private, phff, I'm using it right now!");

new T().#meth();

I'm waiting for private symbols, those are gonna be nice.

Today guys (and girls, gotta include everyone),

There are more than two genders :/

I will show you how to prevent (for the most part) exploits by devtools (or other console tools).

Nope, in devtools you actually have 100% power over everything, I can change values in scope, in a module, in a function, in a class, etc, at will.

Yes, you can do this:

// mod.mjs
{
    function foo() {
        class T {
            constructor() {
                let x = true;

                console.log(x);

                debugger;

                console.log(x);
            } // T::constructor
        } // T
    } // foo
}

and I can guarantee that if I wanted to, I could make it say

true
false

Because dev tools let us play god :)

Tampermonkey exists.

Scope is just encapsulation.

since JavaScript allows you to declare variables without a var const or let keywords, you have to watch out for the scoping of declaring a variable without a declaration keyword, because if you declare a variable without a variable declaration keyword (like let or `var), you will automatically bind it to the global scope!

Umm... since when? A decade ago?

"use strict";

f = 5.0; // throws ReferenceError

Just write modern code, it's not hard.

Baconman321 (555)

@xxpertHacker Huh, I thought you can't go into scopes in devtools...
I also didn't know that JavaScript had private methods...

How could you change something in a scope though?

xxpertHacker (606)

@Baconman321 There's always more to learn/know :)

Dev tools allow more control over JavaScript than JavaScript itself.

Baconman321 (555)

@xxpertHacker Oh yeah, I found out. Pause debugger and then you can step in-out of functions. Still, wrapping things in an IIFE is good practice, especially if you are loading external scripts (which should already be wrapped in an IIFE, but still). Also, there isn't really a way (or at least an easily made way) for external scripts to go into scopes (unless you bring them into the scope), right?

Baconman321 (555)

@xxpertHacker Static just prevents you from accessing the property on instances (but it can be accessed in subclasses).
Also, what's the need for symbols (except that are all unique even if you have the info passed in)?

Baconman321 (555)

@xxpertHacker LOL I hope no one ever declares variables that way...
Technically I guess when you write it that way you are basically saying

myVar = "Hello, world!";
//basically window.myVar = "Hello, World!";
xxpertHacker (606)

@Baconman321

LOL I hope no one ever declares variables that way...

Still, wrapping things in an IIFE is good practice, especially if you are loading external scripts (which should already be wrapped in an IIFE, but still).

This sounds like the thinking of someone who wrote kiddie scripts in JavaScript ~15 years ago :/

This is bad practice.

That is not a variable declaration, that is property assignment.

iifes are 100% useless.

(function () {
    let x = ...;
    ... exec code ...
})();

vs

{
    let x = ...;
    ... exec code ...
}

Why in the world would you write the former!?

xxpertHacker (606)

@Baconman321

Static just prevents you from accessing the property on instances (but it can be accessed in subclasses)

Umm... no, it can't be accessed in subclasses.

It can be accessed anywhere inside the class, but only in the class, including instances.

Symbols: privacy & branding.

xxpertHacker (606)

@Baconman321

for external scripts to go into scopes (unless you bring them into the scope), right?

:/

https://repl.it/talk/learn/The-Modern-JavaScript-Tutorial-Series-Part-2/81460

Baconman321 (555)

@xxpertHacker Oh you can wrap everything in {} now?
Huh, well I guess I learned JavaScript from an older tutorial. Still, I use IIFES for something like event.respondWith() because it takes a response instead of a function so I run a function to return a response. Still, I like em.

Baconman321 (555)

@xxpertHacker Huh I got the info straight from stackoverflow. Must be an older version or I read it wrong :/

Imagine using Classes in JavaScript

xxpertHacker (606)

@Baconman321 Umm... yup, you can wrap everything in { ... } for like... the last 6 or 7 years?

Even works on I.E., so yeah, it's old.

Just make the surrounding callback async and you won't need the iife :/

xxpertHacker (606)

@Baconman321 Stackoverflow is the most outdated place I've ever been to. Please don't use them for remotely modern code.

Baconman321 (555)

@xxpertHacker It doesn't like it if I put anything before the event.respondWith(). Plus, I think IIFE's are important. Oh well.
Most of the weird stuff in JavaScript is the side effect of having such weird syntax and rules.

Baconman321 (555)

@xxpertHacker LOL if you're searching for an answer by a search engine, yes.
I think they just point new answers to old ones that's the problem.

Plus, where would I get a modern tutorial?
Mozilla?
I tried learning web audio API from them but epically failed (I guess I don't know enough about music or anything related to music. Plus it's all linked to each other so I didn't know where to start).

xxpertHacker (606)

@Baconman321

Most of the weird stuff in JavaScript is the side effect of having such weird syntax and rules.

JavaScript can be as simple or as complex as you make it.

Imho, I keep it simple, and everyone else (you included) prefer to take the most roundabout ways of doing anything. But, maybe I'm wrong, who knows?

xxpertHacker (606)

@Baconman321

Plus, where would I get a modern tutorial?

https://javascript.info didn't seem that old? I never used it though, so idk, I'd have to really check it out.

Otherwise, such a place doesn't exist. Honestly, I think most of what I know is from V8 developers showing off that they can execute bleeding edge code, that and TC39, lol.

Baconman321 (555)

@xxpertHacker Since there are so many ways of learning JavaScript, there are some people who still think of making their own iteration instead of using .forEach() on arrays.
I learn much from stackoverflow because it's the one major resource that isn't blocked (I hate my school's firewall). Honestly I'm a pretty bad coder because I have so little resources.

Baconman321 (555)

@xxpertHacker I used javascript.info for learning about indexedDB. They are pretty good, yeah. As with the older code, it's perfectly fine to use it. It's also easier to make it more compatible (but I have mixed older stuff with newer stuff so not really anymore XD).

xxpertHacker (606)

@Baconman321

Since there are so many ways of learning JavaScript, there are some people who still think of making their own iteration instead of using .forEach() on arrays.

Well... okay yeah, then again I use asynchronous recursive yielding... ex: http://repl.it/@xxpertHacker/Thread, lol, code like that is way too "different" from the average JS.

I learn much from stackoverflow because it's the one major resource that isn't blocked (I hate my school's firewall).

I've been trying to get past my school's blocking extension for the last ~3 hours this morning, almost did it, then the site I made it to said something wasn't working correctly :)

Honestly I'm a pretty bad coder because I have so little resources.

I don't remember where I learned half of what I have, I just learn it and continue.

Iirc, I started at FCC and checked out stuff from https://web.dev... and listened to other coders that I know, ofc.

Baconman321 (555)

@xxpertHacker I could easily bypass my school's firewall, but then they would just get mad at me and take away the devtools (I think they don't know I have it).

xxpertHacker (606)

@Baconman321 I wish I had devtools right now...

Baconman321 (555)

@xxpertHacker Wait you don't?
How do you even bypass the school's firewall?
My firewall is just a chrome extension...

xxpertHacker (606)

@Baconman321 So is mine.
At this point, I really can't, they've caught on and stopped most of what I've done.

How do you bypass yours?

Baconman321 (555)

@xxpertHacker I can use devtools probably to stop the extension's execution.
Also, it only blocks web searches and iframes (and websites).
I just fetch the website through no-cors and post it as a srcdoc instead of src in an iframe.
Of course, some resources won't load, but useful for reading a website like, say - developer.mozilla.org.

Wait, do you have goguardian?

xxpertHacker (606)

@Baconman321

Wait, do you have goguardian?

Ugh, yes.

A better way would be to open the fetched result in its own tab as a Blob, ex: https://repl.it/talk/learn/Phff-js-for-const-url-p/79171/365888 (doesn't fetch external resources)

Still, doesn't work for sites that I care about.

Repl has a few proxies around here, most are bad.

Baconman321 (555)

@xxpertHacker XD I bet you don't go to our school (would be a huge coincidence).
We should make an "unblocker" called
goguardian-goaway
XD

Also, I don't think it works well for webpages (the unblocker) because a lot of things are relatively linked meaning it won't work right?

Also, our school is super protective so if I try anything they know immediately.

xxpertHacker (606)

@Baconman321 That's why I said

(doesn't fetch external resources)

My school is "protective" too, but they're... slow, like, they're delayed in all of their actions, and their tech team is 100% incompetent.

Baconman321 (555)

@xxpertHacker XD wish I had a school like urs.

Baconman321 (555)

@xxpertHacker

#include <iostream>
int main() {
  int* ptr = NULL;
  std::cout << *ptr;
}

Annoyance intensifies

...That's a null pointer, right?

xxpertHacker (606)

@Baconman321 Ugh, no, get that C out of here.

#include <iostream>

int main() {
    decltype(auto) pointer = static_cast<int signed const * const>(nullptr);

    decltype(auto) number = *pointer;

    std::wcout << number;
}

https://repl.it/talk/ask/Whippingdot-One-thing-I-know-is-that-C/112204/406279

Baconman321 (555)

@xxpertHacker That was C++.
Also, what is wcout?
And autp?

xxpertHacker (606)

@Baconman321 Fixed "autp" immediately after posting, reload it.

Also, no, NULL is C, not C++.
I can write a C program and compile it in a C++ compiler, it doesn't mean that it's C++, it's still C.

Baconman321 (555)

@xxpertHacker K.
Hmm, just replace NULL with 0 then (since they are the same)?

Baconman321 (555)

@xxpertHacker Y?
LOL why are null pointers so bad? You could easily crash your program in many other ways (ok, well most wouldn't get compiled that's the best part about compiled languages).

In fact, ironically they can actually be pretty useful.

Baconman321 (555)

@xxpertHacker Yo sometime wanna make a web server in C++?
We can define TCP sockets (and we can have fun reading the [RFC 2616 hypertext transfer protocol documentation).
:D
I tried making a little C++ repl that used structs. Caught on pretty quickly so I'd like to actually try to learn C++ a bit more.

Baconman321 (555)

@xxpertHacker U used a library tho. RIght?

I want to try making a C++ web server but IDK where to start.
:(

xxpertHacker (606)

@Baconman321 Of course, you can see my response to others attempting to make an entire server library here:

https://repl.it/talk/ask/Seg-fault/87284

I practically bullied them for making the server...

xxpertHacker (606)

@Baconman321 By merely having null pointers in a language, you screw over the entire language and every single person who uses the language.

Just don't introduce them at all and everything would be much better.

Baconman321 (555)

@xxpertHacker I didn't get it :(
Hmm do I have to use an http server library or can I define it myself
Or is it too much work to even think about.

How da heck do u know so much about C++???

xxpertHacker (606)

@Baconman321

I didn't get it :(

I told them not to make the server, and that they're wasting their time by making the server instead of already having a lib. Don't recreate the wheel, especially if you can't out do the current wheel.

Hmm do I have to use an http server library or can I define it myself

Libraries exist to be used.

Or is it too much work to even think about.

It's a lot of work, have fun setting up those HTTP sockets on your own, and then there's the WebSockets, and make sure every file is sent in parallel, and it better be using HTTP 2 protocol or it's just outdated, and lastly, make sure not to use an invalid reference or pointer, or you'll crash.

And to top it off, make sure your threads don't deadlock or cause a race, and cache as appropriate. Good luck!

Oh wait, one more thing, make sure to use a thread pool, and distribute the workloads correctly across the threads.

Baconman321 (555)

@xxpertHacker Hmm, yeah I guess I'll use a library for now.
Is there any good tutorial for starters (I can catch on to the commands I bet)? Also I can't find a good web server library.

Also I heard there's problems with keeping the connection open (an attacker can open a connection an infinite amount of times causing it to crash), but I bet that's if I was to make my own http server from scratch.

Yeah, C++ is too low level for anything useful except where major performance is needed, and Golang is pretty good for that.

Baconman321 (555)

@xxpertHacker (Forgot to tell u) If you have control over your internet all you have to do is make the connection for goguardian's redirect time out. If goguardian's blocked page can't load then it can't redirect. I found out this because my dad blocks new connections to "shut off the internet". The school blocks ip addresses but I had one set up on my chromebook. When I had the internet on (but not "connected") and went to the ip address it didn't redirect because goguardian couldn't load the blocked page.

xxpertHacker (606)

@Baconman321 o_O Cool, block GG's IP and I'm free, nice to know.

But... we use this too, it's what does the actual unblocking over here, GG is used just for spyware :/

Baconman321 (555)

@xxpertHacker XD goguardian actually took away the keystroke logger and all cuz school got sued for remotely taking pic of student and holding it for punishment. I actually made my own keystroke logger that works and all (hashes data before being stored in a LOG file tho).

Also securly rated 1 star XD (oh from students... makes sense).

xxpertHacker (606)

@Baconman321 Check the reviews :) Even I left one for them.

I made a keylogger too and didn't use it for anything ethical.

Baconman321 (555)

@xxpertHacker Yeah, any extension used for school blocking will get one star cuz kids.

Please say you didn't deploy the keylogger...
My case manager got mad at me for making the keylogger (had to tell her it was ethical). She emailed my parents XD (my parents already knew since I announced it proudly around the house).

xxpertHacker (606)

@Baconman321

Please say you didn't deploy the keylogger...

... good question, but let's leave it at that, just a question :)

Baconman321 (555)

@xxpertHacker XD probs ez to hack (u made it in JS right? I did cuz I can't run exe files cuz chromebook) and bypass.

xxpertHacker (606)

@Baconman321 Yeah, JS, but once the listener is attached, the code is bullet-proof, like most of my code.

Baconman321 (555)

@xxpertHacker How? You literally said yourself devtools lets yourself play god. Devtools gives u more control than JavaScript itself.

Ofc you could check if the listener is there and if it's not add a new one. I made it so once the page unloads (about to unload) it sends the data. Better way would set up web socket and send data every keypress or so often. OFC you could also block the connection client-side too (with firewall). Remember, there's always a way around if ur sending it over internet.

Wait is it an extension or userscript?

xxpertHacker (606)

@Baconman321 You're asking for too much information, that's classified.
Also, devtools do allow you to detach event listeners... but who says that I can't... reattach it? >:)

Now, I've got a Wasm generator to get back to, some Chromium bugs to check up on, a page to write, and a whole lot of other stuff to do.

xxpertHacker (606)

@Baconman321 Hey, there was that time that you thought that I used Wasm just for obfuscation, but I just exposed SIMD operations to JavaScript via Wasm, and it only uses numbers.

Mozilla has a simple explanation of what it is here:
https://wiki.mozilla.org/SIMD/Overview

I threw together a quick script to generate the Wasm here https://repl.it/@xxpertHacker/vect-lib

But... it generated 397 different operations, so... this will be a whole lot of typing for one person, if you know any TypeScript, do you wanna help me out?

Baconman321 (555)

@xxpertHacker That's exactly what I was thinking of. Check if the event listener is there if not attach it. Of course, still ways around it but still (I should add that to my keystroke logger).

Baconman321 (555)

@xxpertHacker Sorry I don't know typescript :(
I like plain ol vanillajs

xxpertHacker (606)

@Baconman321 Eventually it will literally become a war of how good are they at using dev tools, vs how bullet-proof can JS get?

xxpertHacker (606)

@Baconman321

I like plain ol vanillajs

😦... still not versed in statically-typed languages yet?

Baconman321 (555)

@xxpertHacker Huh, wintersp said that devtools has more control over javascript than javascript...

Baconman321 (555)

@xxpertHacker No I like statically typed languages (I found JS so easy now that I moved to statically typed, but I'll probably switch to thinking JS so hard), they are amazing!
It's just that I like coding in plain old JavaScript for now. I think I'll learn typescript though.

xxpertHacker (606)

@Baconman321 Yup, I said the same, it does. Btw, devtools allows one to observe + debug more than just JS, ex: Wasm and native operations (e.g.: C++).

xxpertHacker (606)

@Baconman321 Here's my opinion on TS, it's weird. Guess it's a hit or miss language, but coming from low-level languages, I hate its structural type system.

If you write TS and assume that I'll fix everything, you're likely mistaken, TS has a good number of loopholes built into the language itself.

And if you learn TS, it has no type casts. Talk about a statically typed language, all it has are unsafe type assertions and control flow.

Avoid them, use the runtime flow deduction instead, always.

if (typeof x === "number") {
    // use as a number
} else {
    // throw new TypeError?
}

You'll find that others agree (abstract, but related):

xxpertHacker (606)

@Baconman321 Totally random, and kinda late, but I figured out that you can just block the hardware backed certificates that your firewall's site + extension uses in chrome://settings/certificates

Baconman321 (555)

@xxpertHacker Oh cool. Yeah, but wouldn't it just redirect it and give you an error instead. You gotta make the connection time out so that it doesn't redirect.

But my school probs knows that so it probably forced the certificate for that. It probably just uses location.href and if you make a certificate error it will still redirect. Plus blocked.com-default.ws uses http and not https so it doesn't work for me :(

Lel what grade are you even in (just curious)?

xxpertHacker (606)

@Baconman321 Worked in my situation just fine, the extension itself needs a certificate, and mine in particular used hardware-backed Amazon certifications; I disabled them so their extension and site are blocked by Google Chrome itself, e.g. Chrome pops up that their site isn't safe.

Lel what grade are you even in (just curious)?

That's asking for too much.

Baconman321 (555)

@xxpertHacker Oh kk.

I'm assuming your in somewhere from 8th-10th.
:D

Also, I can't find the certificate for mine so...
Oh well.

19wintersp (372)

This isn't really security, nor is modifying global variables "hacking" (ugh). If you're concerned about users cheating in a single-player game, you need a trusted authority (such as a server) to monitor the user. If you're using client-side control (like Player.setSpeed) in a multiplayer game, you have bigger problems.

Anyway, this can be bypassed. True, you won't just be able to put things straight into the console, but you can modify the source very easily, be that through downloading and hosting the code yourself, or by modifying it on-the-fly with a custom extension or one such as Tampermonkey.

xxpertHacker (606)

@19wintersp Time to make the counter-tutorial to this:

How to use browser dev tools to hack anything

@Baconman321 This is for you (and the rest of you all who think that scope can save you).

You're on Repl.it/talk/share and you see that someone has made a game...
"OOH, they just made a new game, it's so nice! They made high scores and everything! But, oh... wait!
I want my score to be Infinity >:)
...

You have to do it.

Baconman321 (555)

@19wintersp I meant more "exploting" than hacking. Technically people put tools out for you to exploit things, so if you are using them you aren't "hacking" right? Yeah, I guess it isn't considered "hacking"... but you get the idea.
I never ever said this should be used for security. I updated this with a disclaimer explicitly telling people to never ever ever handle sensitive information client-side. This can include high-scores. It is still very hard to validate information because of how people can just manipulate the validation services. With tampermonkey, I didn't know you could modify things that easily with it (I just installed it though, so I'm still a newb). Can you modify things inside of a different scope with tampermonkey?

Either way, I never intended this to be a 100% secure (not even meant for security, just meant to make it harder to "hack" things (again, whatever you call it. I call it "hacking")) way because JavaScript is on client-side, which means, like you said, they can either download and host the manipulated script themselves, or modifying it with something like devtools.

19wintersp (372)

@Baconman321 Less hacking, more modifying.

If you want to actually validate this, you will need to have the frontend act as nothing but an I/O board. A server will do the actual processing. Even then, the only thing which is trustable is the server, as the output can be modified even easier.

You don't even need Tampermonkey to fiddle with scope. If you open your browser's DevTools, there will be a tab (labelled "Sources" in Google Chrome) which allows you to set up breakpoints in the code by clicking on the line numbers. If you set one inside of scope, and then the breakpoint gets hit, the Console will be inside of that scope. I'm making a tutorial with other tricks as well.

Baconman321 (555)

@19wintersp

If you open your browser's DevTools, there will be a tab (labelled "Sources" in Google Chrome) which allows you to set up breakpoints in the code by clicking on the line numbers. If you set one inside of scope, and then the breakpoint gets hit, the Console will be inside of that scope.

Yeah, I found that out instantly. Also, the I/O board idea is interesting. Still, you can send data yourself - that's the problem. Yeah, still there are ways around it. I guess if someone tries real hard they can make server-side validation work.

Less hacking, more modifying.

Yeah, that's the word. Still, without permission I guess it could whizz by as "Hacking"

19wintersp (372)

@Baconman321 You're almost getting into the philosophical realm here, of the "What is true?" variety.

Why would you want to validate something on the client side? What are you trying to prove? What even is someone's score? Is it what the program [would have] legitimately produces? Is it the number in a screenshot? Why is this even important?

If some 10-year-old who's just discovered Inspect Element decides to change today's top news headline to "Butts lol", is that national news? Or if you were to see that, or a screenshot of it, does that mean the same?

Validating and attempting to authenticate the validity of something which a third party has more control of than you is ridiculous, and attempting to solve it will lead only to problems at the basic design level, because it is impossible.

Let's say that we have this black-box impenetrable function which spits out a player's score, to be displayed on the screen. If the element the score is displayed in is modified, the score could be anything. If this is sent to the server to be stored in a list of high scores, that request can be spoofed. The only real way of solving this self-blocking problem is to calculate the user's score on the server, store it there and never give it to the user. What use is that?

Baconman321 (555)

@19wintersp Yes, I knew that from the start. That's why my general rule of thumb is "never trust what what is sent to the server".

I guess server-side would be much better. Thx for the "I/O" idea tho. I was thinking of all the possible ways to make something secure and didn't think of that.

Yeah I want to make a multiplayer game someday with a few people doing the actual game and me doing backend.

19wintersp (372)

@Baconman321

Thx for the "I/O" idea tho ... to make something secure

Not sure if you read my comment. You cannot solve this problem. It's not even a problem. The only person you can trust is yourself, so what even is a "score" if it's reported by a third party?

Baconman321 (555)

@19wintersp How do the big online games make score real then?

Or do they...
:thonk:
I'm not so much concerned about score, just not wanting to make someone have godspeed in a game going around reking everyone.

Heck even roblox is easy to hack if you have a dll injector...

19wintersp (372)

@Baconman321

...easy to hack...

*TRIGGERED*


The online games don't, actually. You can modify them just as easily as you can a Repler's game. The issue is that JS and HTML require you to surrender source code, which means they are easier to modify than an application binary. You can still modify, and even decompile, binaries though; as soon as you give someone something, they can modify it. In fact, you could probably make a transparent image of a high score, paste it on top of the application, and anyone who sees it will see that. Is that modification? Effectively, yes: you cannot trust anything except yourself. If you want to have validated scores, you need to ensure that a user-reported score is not a score.

Imagine you're having a race, to see who is the fastest runner. There are several people (players) participating, and you time how long it takes for them to run a distance (their score). You know exactly how long each of them took, but you ask them to tell all of the spectators how long they took. They can all lie if they want, even if you knew. If this is the case, is what they say credible?

That's your issue. It's comparably easy to verify and generate scores, it's just the output layer which is the issue. I don't need to go to the trouble of accessing scopes if I can just edit p#user-score and screenshot it. You could verify them on the server, but if I'm allowed to say whatever I like as my score (Human Rights organisations get grumpy if I'm not), that doesn't matter. It just depends on what you class as a user's score. If they modify it, it's the same as just lying about it.

Baconman321 (555)

@19wintersp When I mean easy to hack, I mean you can literally download a dll injector and if you know roblox lua you can probably start modifying code. Of course, you have to know the source code to do this but there are literally online websites giving away codes to hack roblox.
As for the score part, yeah I see what you mean. Makes so much sense now that I think about it.

Makes enough sense just measuring how much time I was pondering over how to make it secure

Again, I don't want a score validator. I just don't want someone to go god-mode on me.
I think the big games are so complex most of the "Hackers" give up. Of course, there is always code obfuscation.
Before you shoot me down for saying that, yes I know code obfuscation can be reverse-engineered (of course it can be, if the computer can read it most likely you can read it to with some effort).
I think that's why I don't see many hackers when I play a game like shellshock.io or something.

19wintersp (372)

@Baconman321

I'm not so much concerned about score, just not wanting to make someone have godspeed in a game going around reking everyone.

Okay, here's the thing. You need a server if you want to validate user input, because JavaScript is at the mercy of the browser, and the browser is subject to the user if they're clever enough. Unfortunately, that proves unwieldy in a single-player game because it induces unnecessary* latency and setup.

In a multiplayer game, where one user's actions will influence others, modifications will have consequences. I have seen some surprisingly well-written games which send raw user input to the server, rather than position and state data. Here, the server is acting as the processor of input. Unfortunately, that's not enough. You also need to add a system to stop a "human" from having a CPS of Math.Infinity. However, once you've enacted limits (which assume an average and maximum for a human, which either prevents good players from being good or lets bots be slightly better, but still better than average, however that's another can of worms), you can properly restrict cheating. In fact, that's how it always works.

For example, in "Minecraft", there is no need to restrict a user's modifications in Singleplayer mode. They can hack**, and cheat, and modify the client in whatever way they want, and we can mock them for having no life. If they are playing on a multiplayer server, on the other hand, all the client sends are input and basic position data, and the server will detect cheating behaviour such as excessive speed.

*Depends on the game

**I use that word here as I am told it is the technical term used by the community

EpicGamer007 (1211)

Very useful. thanks :)

ch1ck3n (153)

but is there a way to make devtools interact with the function scope or something

xxpertHacker (606)

@ch1ck3n Yes, refer to what me and #19wintersp have said

Baconman321 (555)

@ch1ck3n Apparently, yes. Still, I never intended this to be a way to foil "all" plans. You should never think of JavaScript as "secure" because it is run on the client-side, meaning the user has tons of access (more than you think) to manipulation tools to manipulate the script.

tussiez (545)

Great tutorial! I think this will help a lot of Repl.it users using JavaScript make their games a bit more secure :)

Baconman321 (555)

@tussiez LOL I just hacked kobe's remake of the apoc game to make the bullet speed OOF itself