Reputation: 1138
How to detect cracked JS validation?
I have a website with a quiz on it. The users cannot gain anything directly from doing well on that quiz, but they can share their result on Facebook and Twitter.
The problem is that I can't figure out how to check if the answer is correct or not. After each question, the user should be able to restart or continue if they got it wrong, or it will automatically continue if the user got it right.
If the check is done server side, the user have to wait for a second after submitting the answer before either the next question pops up or the two alternatives pop up. However, if I do it on the client side, there will be no delay and the users will be more happy.
So there isn't extremely much to gain on cheating, but certainly people will do this to show it off on Facebook and Twitter.
So, is there any way to do spot checks or any other method of DETECTING users cheating on the client side? Or do I simply have to decide where I want to do the validation?
Upvotes: 0
Views: 202
Answers (1)
Reputation: 11953
No, you cannot prevent cheating if you do validation on the client side. You can make it a little harder, but at the end of the day you do not control the user's browser, and your code must be executable. Unless you take extra steps, it would easy to cheat simply by viewing the page source and looking at the code for the correct answer. If you care about cheating, do all the validation on the server side. Use AJAX to create a seamless user experience during the validation. A couple seconds of waiting for an AJAX request is not bad, and will not create a poor user experience.
If you are dead set on client side validation, one trick that will make it a pain in the behind for an attacker is to obfuscate the JavaScript routine. If you wrap an obfuscated code generator into a JS eval function call, the attacker will have to de-obfuscate it before they could determine the "correct" answer to the question. This is easily done using SpiderMonkey, but it would thwart the script kiddies and the lazies. Your idea of using a wrong answer here and there may be good as well, when paired with the obfuscation.
At the end of the day though, I wouldn't do any validation client side at all. Use the AJAX/server side combo to create a good experience for your users that is also fair.
Upvotes: 2
Related Questions
- How to get the reason for validity failure when using .checkValidity()
- How to check the integrity of loaded Javascript code
- How to verify that Javascript on client has not been altered
- How can I detect use of invalid properties in javascript?
- Validate JavaScript
- Java servlets: How to detect (on Server Side) if JavaScript (on Client Side) has beeen tampered with?
- Check if javascript source is using prohibited functions
- How to stop people getting around my JavaScript Validation?
- Detecting javascript in HTML
- Testing for validity