A brief explanation on how to exploit the glory of scope in JavaScript
Baconman321 (807)

@persassy2109 This is for you (and the rest of you all who don't know the wonders of scope).


There exists a way to get around this in devtools. Of course, the average person playing your game (unless you post it in a coding group like this website...) will not know how to access it at all. Of course, it offers some protection to noobs (like me) who don't know how to use devtools correctly.

Even so, it is a good idea to wrap code in an IIFE to prevent polluting global scope (which I don't think the scripts themselves can travel into scopes) especially if you are importing external scripts (which still should either be a module or be inside an IIFE themselves). Since JavaScript is executed on client-side, the user can see both the source code of your application and be able to manipulate the code either with devtools or something else.


Anyways, moving on...

You just made a game...

"OOH, I just made a new game, it's so nice! I made high scores and everything! But, oh... wait! Someone got a score of infinity! How is that possible??? I'VE BEEN HACKED, HOW IS THIS POSSIBLE?!"
Easy, you just call the function that sets the high score and pass in infinity. I'm disappointed that people today don't know how to exploit scope in JavaScript. What's next, y'all won't know how to use private methods (actually I've never even touched a class outside of JavaScript, but I still know what that is!)?
Today guys (and girls, gotta include everyone), I will show you how to prevent (for the most part) exploits by devtools (or other console tools). Note that this is not 100% efficient and you still should follow all other rule of thumbs for making a safe and secure game (like anti-XSS methods. Actually if you unwillingly allow XSS the point of this tutorial could be made useless). Well, let's get into it then! Onward.

Did you know JavaScript has classes? Pretty cool right?!
A teeny tiny problem though, it doesn't support private methods or values! Now anyone can access those methods and change the values (like Player.playerSpeed for example)... right?
"Oh, no! How do I fix this?!", you might say.
While JavaScript may not support private methods (method is a fancy word for a function inside a class or object) or values, you can always make them private because of this one thing (a wonderful thing) called scope!
Note that I include very simple examples here because I, too am fairly new to this. Anyways, Onward Ho!

Now, imagine you have a game. In your game you have a Player object that stores and controls information on the player. You have a Player.setSpeed() method that you use for when the player gets a speed power-up. You post it on repl share, and it gets trending! But then, oh! Kobeff (sorry kobe, just teasin u ;D) has shown a pic of him modifying the player speed by calling Player.setSpeed() and passing in 1,000. Now he can zip around like flash and pass all the monsters in a breeze!
How do you fix this to prevent the mighty Kobeff (sorry Kobe... again) from Oofing your game? One very simple thing is to wrap all your code in an IIFE (immediately invoked function expression). Here's an example of code wrapped inside an IIFE:

   console.log("Look ma, I'm trapped inside a function!");

An immediately invoked function expression is just what it sounds like: a function that is immediately invoked.
"Why might this be of any help to me?" you may ask.
Well, it all has to do with scope.
What is scope?
According to wikipedia:

In computer programming, the scope of a name binding—an association of a name to an entity, such as a variable—is the part of a program where the name binding is valid, that is where the name can be used to refer to the entity.

Wow, even I don't fully understand this? What does it mean?
Imagine you have a safe. It is super locked. Inside the safe, imagine each of the objects came to life. Each object can interact with each other, but another object that came to life outside the safe, say... a tin soldier, can't interact with those people inside the safe. Now, replace the safe with a function and the objects with variables or other storage methods and you got yourselves the meaning of scope.
Devtools interacts with the global scope. Global means the very highest scope. If you define a function in the global scope and you console.log the window object, you will see that that function is bound to the window AKA global scope. But, if you make a function inside a function, that innermost function has the scope of the outer function.

Functions inside a function inherit all the outer function's variables. That is why this is perfectly valid:

let globalVar = "Hello from the global scope!";
function outerFunc(){
//Will log "Hello from the global scope!"

However, you cannot access a function's scope from outside of it.

function outerFunc(){
   let secret = "Hehe, I will never be exposed!";
//Will give "undefined"

Of course, there are exceptions. Remember how I said that a function can inherits all of the outer scope's variables and objects and such?
Well, you can also change the outer scope's variables from inside a function.

let globalVar = "I am global!";
function changeVar(){
   globalVar = "Hehe, I am secret... right?";
//Will log "Hehe, I am secret... right?"

Another thing to note:
since JavaScript allows you to declare variables without a var const or let keywords, you have to watch out for the scoping of declaring a variable without a declaration keyword, because if you declare a variable without a variable declaration keyword (like let or `var), you will automatically bind it to the global scope! For instance

function globalVar(){
   myGlobal = "This is global";
//Will log "This is global";

Of course, there are probably a few more rules... but that is your daily dose of basic scope understanding.
If you want to read more about scope, try this mozilla article!
Now, go make your game untamperable (ok, somewhat untamperable... don't forget to follow the other security methods)!

Now the mighty kobeff cannot mess with your game

You are viewing a single comment. View All
xxpertHacker (785)

@Baconman321 Totally random, and kinda late, but I figured out that you can just block the hardware backed certificates that your firewall's site + extension uses in chrome://settings/certificates