PHP web game security overview

As a game developer myself, one of the biggest fears I have is that someone is going to end up hacking my game and ruining it for everyone else. So, seeing that I am a member of a PBBG game dev board (here), I posed the question to the community;

How do people cheat in web based games other than using bots? Do they manipulate URLs or text boxes? Or is it mainly exploiting bugs?

Not long after the question was asked, I received a reply from one known as Nerdmaster(site). Now, the following is not the end guide to securing your game, but it does a damn good job of outlining ares where common problems occur.

But before that I will tell you the best way to prevent hacking which will be re-enforced as you read the reply: Don’t trust user input. You must always make sure the player has supplied you with legtimate data.

As a long-time security hobbyist, I have learned a few minor tricks for exploiting web games, and I was very successful with Mobster World (as I already mentioned). The most important rule is NEVER trust anything user-submitted without validation. URL arguments, form arguments, cookies, etc are all *very* easy to manipulate.

In mobster world, for instance, there was a place to go and buy guns. The page would load up a form, and you’d choose the gun you wanted. It did something with hidden fields to where your URL would just hit something like /buyweapon.php, and I guess the admin thought that made it secure. But if you looked at the form, it was sending across a few values. One was itemcost=xxx and one was weaponid=xxx. You could set itemcost to 1, and get any weapon for a dollar. These hidden fields were the worst kind of exploit because they would be so easy to fix – don’t rely on the user to supply the price; look it up based on weaponid!

Another problem with that game stemmed in the messaging system. When you read a private message, it would generate a URL like this: “/messages.php?action=read&id=xxx”. You could read *anybody’s* messages this way, just by changing the id in the URL. This was a case where user-supplied input should have been validated (and eventually it was, but by then the game was being exploited so much, it was too little too late). A simple if block fixes this – if message id xxx doesn’t belong to the currently-logged-in player (via session data or whatever auth method you use), DON’T SHOW IT!

Then there’s the issues with things like pulling off jobs – when you went to the “big jobs” option, you usually had two options. One was going to be successful and one wasn’t. By viewing the form, however, you could always tell which job would be successful. NEVER put that kind of data in the forms – you want to make random decisions happen only *after* the user decides what to do, never before.

Another issue is with SQL injection. In PHP this can be a problem because a lot of the examples you’ll find on the internet don’t properly handle SQL code. PHP has some stuff for automatically escaping quotes and such, but you can’t always rely on the server settings for your app, so it’s something you need to at least be aware of. I don’t know enough about SQL injection, but in a lot of languages, you have access to special DB commands where you use a ‘?’ in place of arguments and they get scrubbed by the DB layer so you never have to worry. If you have cookies that don’t get auto-scrubbed by PHP, this kind of knowledge can be very important.

Another important tip is do *not* store simple information in cookies. For instance, say you want to know who is logged in but you obviously do not want the user to have to log in on every page. If you take the quick way out, you might have a cookie that holds the user’s id. Well, once a user realizes this, they just change the id and become anybody they want! Similar issues can arise with cookies that store session ids (since those map to the server-side data for logins), but generally it’s much much safer to use sessions for storing login credentials than using cookies.

A final tip is to be careful of XSS attacks. In Rails there is a function (I think it’s from a ruby library, not specific to rails, but I don’t recall which library) that auto-scrubs data to keep html out of user input. The issue here is that if your users can put in angled brackets (“<” and “>”), they can very effectively destroy the game for everybody else. In mobster world, I used this technique to create a private message that would add a button to the form that seemed to be the normal “Delete Message” button. But when clicked, it would take that user to the “shoot another player” action, with a specific player id of somebody I wanted to torment. I never actually used this cheat, as I started feeling bad, but I tested it with a friend, and by cleverly constructing emails I could force players to take actions of any kind within the game. More malicious hackers can do a lot worse, such as hijacking passwords for other sites. I’m not sure how that happens, but the point is that you need to find a library in your language of choice that you use to scrub html out of user data. If there is data ANYWHERE in the game that one user enters and other users see, it *must* be kept clean of HTML. You could theoretically allow only certain HTML, but with all the very clever uses of html that can exist, I think it’s safest to just not allow users to enter HTML. In my Rails game I use RedCloth (a Ruby library to the Textile markup system) to allow users to do formatting without having to worry about XSS attacks.

For an example of how easy it is to have dangerous XSS even when you think you’re safe, watch this. This site’s forums allow “safe” HTML. You cannot, for instance, do a <script> tag:

<script src=”http://www.nerdbucket.com/js/common.js” type=”text/javascript”></script>

But you can use some tags, such as bolding, as I just did. Well consider this – inside a bolded element you can specify onMouseOver behavior. Hover your mouse below and watch as I change the element text (only works in DOM-capable browsers):

or am I?’;” id=”foo” style=”font-size: 150%”>I’m a safe HTML tag.

If somebody more malicious wanted to, they could probably hijack cookies and passwords from this forum. (Obviously I’ll have to alert the admin).

Now, you have the basics of how some attacks are made, you may be wanting more specfic examples with more detail. Well you’re in luck (as was I).
Not long after I asked this questio, Nerdmaster wrote a much more detailed description using an example in his blog (here) If you want a rather more details and examples of how people hack web (PBBG) games, you best check that link.

Getting started on web game dev

Have you ever wanted to create your own web game but were unsure how to go about it or what languages you would need to learn to do it? Or even know what languages to use but not how to get them to work on your home machine?  Well this post should give you a starting hand.

Currently on the web, most browser based/PBB games are written in PHP/MySQL. Yes there are other languages used but I will cover these first.  Both PHP and MySQL are open source languages, meaning they are free and have a ton of online communities and support. Personally I am using those languages for the few games I am working on/plan on working on.

So, what is PHP? PHP put simply is a server side scripting language which returns html to the clients browser. What this means is that PHP isn’t ran on the players machine, but ran on your server. This give’s a little security because players can’t see your code, meaning they don’t know passwords, variable names, equations.

MySQL? MySQL is your datbase. It is the thing that stores your players information, such as names, experience, levels. You can even use it to record money transfer in game, mail, friends, and any other form of information you would like to view later.

Now, you have an idea hopefully what both of these languages can do for you. But how do you get server side languages to work on your home pc so you can build and test? Well the easiest way is to download and install WAMP if you are using a Windows PC.   (Mac version : MAMP Linux – A guide on setting up a LAMP )

WAMP is Windows Apahce MySQL PHP. Basically it installs a server (Apache) which is needed, since it basically turns your pc into a mini server to run PHP/MySQL which have files that interpurt the  scripts. After you have WAMP installed, are good to go. Browse into your wamp directory and you’ll see a folder called www. You will want to place your scripts there for testing.  So lets say you write your first PHP script :

<?php

echo “Hello world”;

?>

You save it out and drop it in your WAMP www folder. You go to your browser (no need to be online) and type in http://localhost/*name of file*

To create databases is also pretty simple. Click on the wamp symbol in your system tray and click PHPmyAdmin. There you can set permissions, create databases, and insert info. I will write a starters guide for myAdmin at a later date  and demonstrate the basic way to connect, insert, delete, whatever using PHP.

So after that you may think that PHP/MySQL isn’t for you but you still want to create web games. Well for web games you need a back end (database) be it SQL, MySQL, Access (*shudder*), Oracle or whatever database language/server to have access to.  You also need a scripting language of some sort, the two most popular PHP and ASP.NET, though others do exist.

You can also use other languages such as JavaScript, Java and XML to handle some of your information instead of relying on just your scripting language.

I hope this has given you the knowledge you need to know, not to script, but to know where to start looking. I know personally when I first started I didn’t know what languages to use, or what options I had.

Also, for anyone that develops, please feel free to post the languages and set up you use.

PBBG

Persistent Browser-Based Games

Thats what PBBG is, and many of us developers/players work on/play.

Bud (the guy that owns the PBBG I linked to) was trying to define the genre because it’s not quite a MMOG because it’s played in a browser. And this is what he came up with.

If you are unsure of what style of game this describes, its a game played through the browser where after you long off, the game world still exists and so does your character. It is often defined by 1000’s of players playing a game where they interact very much like a MMOG.

If you a player/developer support this project! This is our chance to make it known that we exist. To make our little corner of the net larger, better… and overall, provide a better playing experience to everyone.

Hello all!

Hello everyone, I am bardicknowledge, founder of this little blog.  Let me start by getting right to the point and saying what we are about here.

The idea that drives this blog is that as a community, we can help each other improve upon our browse based game or our table top games. I’m sure all of you developers out there, at one point in time, have been stuck, trying your damnedest to  think of the perfect way to have an action performed or how a rule should be applied, or what numbers should be used. This is part of the reason is blog exists: To help developers in need.

The second part is to raise the standard of games. Everyone wants their game to be the best, the most enjoyable to play, the most addicting. But how do we do that? How can we achieve this level of greatness? Well as a group, I hope to study others mistakes, figure out where they went wrong and how to improve upon that area.

So, interested yet?

Here’s the thing. I can’t do this all myself. I can’t tell everyone the details to every genre. I can’t give you the secrets to the perfect game. Sorry. But here is what I, actually, WE can do. WE can all work together to bring articles, links, code, anything, together here for others to review and comment on.

You may be saying, “how can I  help this community”. Well this is how. Go to the contact page, and my email is there. Send me an email with articles, links whatever. Just be sure to include your name so I can give you credit for your articles/code/finds.

I hope this has caught your interest and you will all come back to see what we can pull together.

Oh! I almost forgot! Have a game YOU made?  Send me of a email (contact page). I will be listing contributors games on a ‘Games’ page.  So make some comments, submit some content… be a regular and I will gladly link from here to your game ^_^