阻止用户从控制台执行JavaScript
[英]Stop user's executing JavaScript from console
问题描述
I've been mucking around creating a little multiplayer game using HTML5 technologies. 
我一直在努力创建一个使用HTML5技术的小型多人游戏。 I used Node.js and Socket.IO to manage server-side business. 我使用Node.js和Socket.IO来管理服务器端业务。
My problem lies in users being able to enter in their own JavaScript through the Chrome console (and various other consoles im sure). 我的问题在于用户能够通过Chrome控制台(以及各种其他控制台确定)输入自己的JavaScript。 For example, a user might enter this into the console: 例如,用户可以将其输入控制台:
socket.emit("new player", {user: username, x: localPlayer.getX(), y: localPlayer.getY()});
This would add a new player to the game. 这将为游戏增加一个新玩家。 What is the best way I should go about stopping this? 我应该采取什么样的方法来阻止这种情况? Is there a way I can catch these entries and simple deny them (followed by slapping the user around the face)? 有没有办法可以捕获这些条目并简单地拒绝它们(然后将用户扒在脸上)? It would be also good if I could stop them editing things like the GUI by changing variables, eg: 如果我可以通过更改变量来阻止他们编辑GUI之类的内容也会很好,例如:
gameStatus = "trolled lol troll client-side editing lol";
Thanks, Joel 谢谢,乔尔
3 个解决方案
解决方案1
12 已采纳 2013-05-19 18:45:40
You cannot do that. 你不能这样做。
You can never trust anything that comes from a client. 你永远不会相信来自客户的任何东西。
Even if you could somehow affect the console from your page, an attacker could write his own web browser (read: fork Chromium) and bypass your restrictions. 即使您可能以某种方式影响您的页面控制台,攻击者也可以编写自己的Web浏览器(阅读:fork Chromium)并绕过您的限制。
Or the attacker could simply handcraft HTTP requests without any browser at all. 或者攻击者可以简单地手动编写HTTP请求,而无需任何浏览器。
Instead, you need to validate everything on the server. 相反,您需要验证服务器上的所有内容。
Whenever any client does something, the server needs to check whether that client is actually allowed to do that. 每当任何客户端执行某些操作时,服务器都需要检查是否实际允许该客户端执行此操作。
解决方案2
0 2013-05-19 19:07:51
As noted by SLaks, there's no way to prevent someone from hacking and it's even more true for a javascript/html client as it is easier. 正如SLaks所指出的那样,没有办法阻止某人进行黑客攻击,而对于javascript / html客户端来说更是如此,因为它更容易。 There are ways to discourage or make it harder though as i said in my comment. 正如我在评论中所说,有些方法可以阻止或使其变得更难。 I am posting more suggestions 我发布了更多建议
- Obfuscate your javascript code 混淆你的javascript代码
- Use an encryption method and encrypt all your requests to your server before sending them using a key (make it hard to find the key) 使用加密方法并在使用密钥发送之前加密对服务器的所有请求(使其难以找到密钥)
- decrypt your request on server side using same encryption method and key as in the javascript client. 使用与javascript客户端中相同的加密方法和密钥在服务器端解密您的请求。
解决方案3
0 2013-05-20 10:43:08
What we mean about not trusting what comes from client side is doing exactly what you do when you create a form. 我们不信任来自客户端的内容的意思是完全按照您在创建表单时所做的操作。 You usually check post method, session, a unique token unrelated to the meaningful data you are sending - usually a hidden text input created on the server side and checked when form is submited. 您通常会检查post方法,会话,与您要发送的有意义数据无关的唯一令牌 - 通常是在服务器端创建的隐藏文本输入,并在提交表单时进行检查。 search validating and sanitizing form. 搜索验证和消毒表格。 On top of this you should encript the data for sending so it won't be possible to rebuild the structure using the network tab on chrome or firebug or even a proper traffic analyser. 除此之外,您应该记录发送的数据,因此无法使用chrome或firebug上的网络选项卡或甚至适当的流量分析器重建结构。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.