Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

The best way to secure posting data to a URL from Java

Tags:

java

https

obfuscation

I am developing a small game (in Java) for a coursework and the extension I have decided to do is an online score board. As I thought might happen, a few people on my course have figured out how to hack the score board and submit their own scores.

I know there are a few problems in the current way of submitting scores, but here it is. The game generates a score, then does an HTTP GET on a URL with the options of the players ID, the score and a password.

I might changing this to be a POST as it might be more difficult to get the data for the password. Also, I am considering making it run over HTTPS (although I don't know if this is more difficult in Java). Unfortunately, this doesn't stop the main way that people found the password which was by decompiling the Java code.

I don't know the best way to prevent the hacking. I don't mind too much really, its not that important, but it would be nice to secure it so when the code is marked it doesn't have a load of spam on it.

What would be your suggestions on ways to obfuscate the code and/or secure the whole process?

like image 969
danpalmer Avatar asked Dec 22 '22 19:12

danpalmer

2 Answers

Your approach simply doesn't work. When you need to secure something, you can't run it on the client.

Instead, the whole game must run on the server and users can only submit moves. That way, you can validate the moves (so players can't create illegal states) and calculate the correct score.

Everything else can always be hacked. If you don't encrypt the data, it can be hacked by using a network sniffer. If you use HTTPS, hackers can use a proxy to decode the data (man in the middle attack).

like image 162
Aaron Digulla Avatar answered Jan 04 '23 15:01

Aaron Digulla

What one can do is changing from anonymous to user based tracking. This does not prevent faking, but makes it more trackable.

The basic protocol could be that a score board change is signed or encrypted using a session key. The session key is created upon logon of the player itself. Here you can work using an appropriate authentication system.

Now at least you know from which account a change has been made and can blame your student...

like image 21
mtraut Avatar answered Jan 04 '23 15:01

mtraut
Sign in to Comment

Related questions

I think I'm missing something here -- string.replace()
How does composition work in Hibernate?
setContextClassLoader implications
HtmlUnit accessing an element without id or Name
Runtime.getRuntime().exec(), executing Java class
AnnotationConfigApplicationContext and parent context
how to disable EL expression for a few lines in JSP
Java Map hash code
How to connect to local host using JDBC?
Querying Active Directory via Java
Java Remove repeated try, catch, finally boilerplate from DAO
Placing List Index when using List in Hibernate
Compute the length of largest substring that starts and ends with the same substring
StringTokenizer split at "<br/>"
Which kinds of applications are better implemented with Java EE versus Java SE?
Static/Final java classes?
Is there a system-wide version of the Preferences API?
Java subclass constructor
Problem with Java generic interface
Would an immutable keyword in Java be a good idea?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!