As you probably know, one can cheat this game's candy system by sending commands to the console.
For instance, if you click the link, you will see that your candy count increases slowly. Somebody using Google Chrome (I refer to Chrome specifically because I know the keyboard shortcuts; perhaps this can be done in Firefox or IE) who wants to cheat can press
Ctrl + Shift + I, navigate to
Console and send
candies.setNbrOwned(2147483647) to the console for a quick and easy sugar-high.
Can this pose a problem in other contexts? For instance, let's say that I have a website that sells widgets. Can somebody's balance (or even the price of my widgets) be altered through sending something like
userBalance = 2147483647 or
If it isn't possible, why is that the case? My first guess for why it might not be possible is because changed variables would be stored as local variables and wouldn't affect anything major -- kind of like changing elements through 'Inspect Element' features.
If it is in fact possible, through what means can it be done, and how does one prevent it?
There are two main types of issues that can occur with client-side execution:
When an unprivileged, untrusted client interacts with a server, the server must, whenever possible, validate all the input received by the client and the legality of client actions. Failing to do so opens the server up for a wide range of attacks known as 'Insecure Interaction Between Components'. Just like all your Web forms' input must be validated, you must validate any data you receive from client-side via AJAX queries or other mechanisms.
Once you've validated all the data, there are still a number of cases where users can abuse client-side scripting, such as online games. The defences you can set against players giving themselves more resources than allowed, making more moves than allowed, displacing themselves further than allowed in a multiplayer game, etc., are relatively limited. Some defence strategies could include:
Online social networks like Facebook are particularly wary of people downloading "hacks" that claim to give users more likes or access to their friends' profiles. Many malicious scripts can be found that, if copied into a browser, will let a third-party take over your user session. This is a dream scenario as attackers can execute arbitrary code in your valid user session! Facebook now injects a warning message in browsers' developer consoles to help fight this phenomena:
External links referenced by this document: