Verifying Client authenticity

Question

I have built a game in HTML5 and a web form posts data to a server.

The scores in the game are calculated using Javascript, and the form posts the data to the server.

Won't this architecture be vulnerable to an attack, where the client can be modified, such that it posts rogue values instead of the calculated scores?

How can I prevent this from happening?

Answer 1

To keep things short - you need to do all of your verification server-side. There no problem using client-side scripts to keep things looking good, but you cannot trust anything from the client.

Take Stackoverflow as an example. When you vote it is instantly calculated client-side (to keep things nice and quick) but it is properly validated by the server once submitted.

For example if I attempt to upvote my own answer the server rejects it with the following JSON:

{"Success":false,"Warning":false,"NewScore":0,"Message":"You can't vote for your own post.","Refresh":false}

even though the javascript happily submitted it.

Therefore you also need to calculate your game scores server-side.

Answer 2

Don't trust user inputs, especially trough a form they might perform SQL injection as you send data to your server. (see also How can I prevent SQL injection in PHP?)

Try to verify as much data as possible server side.

Seeing that you also use javascript watch out for javascript injection (http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/Javascript-Injection) as they can inject changes into ur script (e.g. score value)