从 Java 安全地将数据发布到 URL 的最佳方法

发布于 2024-10-12 10:34:44 字数 394 浏览 6 评论 0原文

我正在为课程开发一个小游戏(用 Java 语言),我决定做的扩展是一个在线记分板。正如我认为可能发生的那样,我课程中的一些人已经弄清楚如何破解记分板并提交自己的分数。

我知道当前提交分数的方式存在一些问题,但就是这样。游戏生成分数,然后对 URL 执行 HTTP GET,其中包含玩家 ID、分数和密码选项。

我可能会将其更改为 POST,因为获取密码数据可能会更困难。另外,我正在考虑让它通过 HTTPS 运行(尽管我不知道这在 Java 中是否更困难)。不幸的是,这并不能阻止人们通过反编译 Java 代码找到密码的主要方式。

我不知道防止黑客攻击的最佳方法。我真的不太介意,它没那么重要,但最好能保护它,这样当代码被标记时,它就不会包含大量垃圾邮件。

对于混淆代码和/或保护整个过程的方法,您有什么建议?

I am developing a small game (in Java) for a coursework and the extension I have decided to do is an online score board. As I thought might happen, a few people on my course have figured out how to hack the score board and submit their own scores.

I know there are a few problems in the current way of submitting scores, but here it is. The game generates a score, then does an HTTP GET on a URL with the options of the players ID, the score and a password.

I might changing this to be a POST as it might be more difficult to get the data for the password. Also, I am considering making it run over HTTPS (although I don't know if this is more difficult in Java). Unfortunately, this doesn't stop the main way that people found the password which was by decompiling the Java code.

I don't know the best way to prevent the hacking. I don't mind too much really, its not that important, but it would be nice to secure it so when the code is marked it doesn't have a load of spam on it.

What would be your suggestions on ways to obfuscate the code and/or secure the whole process?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

假情假意假温柔 2024-10-19 10:34:44

你的方法根本行不通。当您需要保护某些内容时,您无法在客户端上运行它。

相反,整个游戏必须在服务器上运行,用户只能提交动作。这样,您就可以验证动作(这样玩家就无法创建非法状态)并计算正确的分数。

其他一切都可能被黑客入侵。如果不加密数据,则可以使用网络嗅探器对其进行黑客攻击。如果您使用 HTTPS,黑客可以使用代理来解码数据(中间人攻击)。

Your approach simply doesn't work. When you need to secure something, you can't run it on the client.

Instead, the whole game must run on the server and users can only submit moves. That way, you can validate the moves (so players can't create illegal states) and calculate the correct score.

Everything else can always be hacked. If you don't encrypt the data, it can be hacked by using a network sniffer. If you use HTTPS, hackers can use a proxy to decode the data (man in the middle attack).

软糖 2024-10-19 10:34:44

人们能做的就是从匿名跟踪转变为基于用户的跟踪。这并不能防止伪造,但使其更容易追踪。

基本协议可以是使用会话密钥对记分板更改进行签名或加密。会话密钥是在播放器本身登录时创建的。在这里您可以使用适当的身份验证系统进行工作。

现在至少您知道从哪个帐户进行了更改并且可以责怪您的学生......

What one can do is changing from anonymous to user based tracking. This does not prevent faking, but makes it more trackable.

The basic protocol could be that a score board change is signed or encrypted using a session key. The session key is created upon logon of the player itself. Here you can work using an appropriate authentication system.

Now at least you know from which account a change has been made and can blame your student...

悟红尘 2024-10-19 10:34:44

混淆不会帮助你。
这只会让黑客变得更难,但肯定仍然有可能。

为了确保整个过程的安全(至少在某种程度上),您不应该在客户端上有任何游戏逻辑代码。客户端应该只向服务器发送游戏命令。收到命令后,服务器应检查用户是否可以执行给定的命令。

这样,即使你的同事发送命令“设置 jeff 分数 9999”,服务器也会检查 jeff 是否确实玩过给他 9999 分的游戏,如果没有,你可以在客户端上显示一条错误消息。

一般规则是:如果客户端上有某些内容,则客户端可以对其进行修改。大多数人承认试图让客户难以修改它是徒劳的,因为他们这样做只是时间问题。

Obfuscation will not help you.
It will just make it harder for the hackers, but certainly still possible.

In order to secure the whole process (at least to some degree), you should not have any game logic code on the client. The client should only send game commands to the server. After receiving the commands the server should check if the user can preform the given commands.

This way for example even if your colleagues send a command 'set jeff score 9999', the server would check if jeff has actually played a game that has given him 9999 points, if no, you could just show an error message on the client.

The general rule is: if something is on the client, the client can modify it. Most people conceder attempts to make it hard for the client to modify it futile, since it is only a matter of time before they do.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文