How easy is it for a user/browser to manipulate Javascript?

Question

I am wondering how easy it is for a user/browser to manipulate or execute Javascript code manually.

The reason I ask is that I am planning on making a browser-based game. I am using Javascript instead of Java because I want to make it accessible to as many platforms as possible.

Here is a general example of what I mean: the user might go to a game page. Several variables would be stored in JS such as, say, the player's health and strength values. The player might choose to attack a monster and the outcome is determined from several stored variables and a couple which were generated during the battle.

So would a player be able to manipulate the stored variables or call one of my JS functions (such as one which leads to an AJAX call being made)?

If so then how could I guard against it? I could verify each action with the server but that is bandwidth-intensive.

Answer 1

You might not protect against manipulating the real values, but you may make it a bit more complicated, by verification.

Here's what I mean. Let's say you're protecting the health value, and let's say it's named "helath". You declare another health value, let's say we name it "hcheck", but you do not make it equal the health value. You give it an offset value of -52 or +786 or whatever... You might also store xor-ed value or... be creative. Later, you simply check if the health value corresponds the hcheck value, and if not, you decode the real value back into health.

Of course, you might salt it even more if you want it, with a third value that will be some kind of calculation between the health and hchek values.

Let's be clear. This doesn't guarantee it will be 100% protected, but it will it complicate the thing for novices, and more experienced ones will simply not want to waste their time when they see it's salted even with a third protection value (you may never know how many protection values/layers are there) :)

Oh, and if someone has the time and nerves to follow your lead and fix the values in every single variable, then they deserve to cheat ;)

Answer 2

Hit F12, open the Console, hack away.

Anything in the global scope is vulnerable to modification.

However, by enclosing your game logic in a closure it becomes a LOT harder to access.

So:

(function() {
    // all your game code here
})();

This will prevent access to local variables. Just make sure you declare them all properly with var.

Also, make sure you obfuscate the code to make it harder to modify, and take special care when accepting communications such as highscore submissions. I like to encrypt mine with a made-up-on-the-spot method (such as converting from base 10 to base 42).

As much as possible, send the player's actions to the server and make sure they are valid. If you can, keep a state of the game on the server side - partly to check if the player is playing by the rules, but also as a side-effect you can resume the game if the user reloads the page.

All in all, you can't stop cheaters, but you can make it really hard for them.

Answer 3

The only way to prevent cheating in this manner is to verify all actions with the server. Even if the players couldn't access all the javascript with the proper tools (which they can), they could just attack the system at the network level.

The only alternative is if javascript somehow acquired a trusted platform module API.

Answer 4

Have you ever opened your developer console? You have access to all the scripts running in the page. Anything loaded can be manipulated.

You can made it harder by running your code in a specific closure. This S.O. answer about closures might help clarify things: How do JavaScript closures work?

But since it's all client-side nothing is impossible if someone REALLY wants to get in there and change things to benefit themselves since JavaScript allows for runtime introspection.