如何在 JavaScript 中保存未经授权的操作
我用 javascript/HTML5 编写了一个服务器客户端应用程序,它应该允许客户端在服务器端使用 Node.js 实时通信/玩游戏。
我知道私有变量的使用等。但是如何防止整个游戏引擎通过console api被未经授权的访问呢?
就像如何以这样的方式编写它,使所有变量都落入私有范围内,并且一旦启动,它们就几乎独立运行,而无需在全局范围内注册单个变量,这样就没有人可以搞乱游戏了!
根据我的研究,我可以做类似的事情
function Game(){
// All declarations here
// Start a logic in here
}
,然后调用它就
new Game();
可以了?但有没有更好的方法来做同样的事情?
I wrote a server-client app in javascript/HTML5 its supposed to allow clients to communicate/play a game in realtime using Node.js on the server side .
I know the use of private variables and etc . But how to prevent the whole game engine from unauthorised access via console api ?
As in how to write it in such a way that all variables fall in a private scope and once initiated they run pretty much independently without registering a single variable in the global scope so that nobody can mess the Game up!
From what i have researched i can do something like
function Game(){
// All declarations here
// Start a logic in here
}
and then calling it
new Game();
will do it ? but is there any better way to do the same ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您可以通过匿名函数运行 JavaScript 应用程序,而无需注册任何单个变量:
但是,没有没有可靠的方法来防止作弊:人们可以轻松分析您的代码,并且创建虚假的 AJAX 请求。使用最新的浏览器,捕获您的代码非常容易。
通过 getter 和 setter,任何人都可以有效地拦截您的函数。使用已弃用的
arguments.callee.caller属性,攻击者可以读取函数调用的源代码,从而有效地访问本答案顶部定义的闭包。例子:
You can run a JavaScript application without registering any single variable, via an anonymous function:
However, there is no reliable way to prevent cheating: One can easily analyse your code, and create fake AJAX requests. With the latest browsers, it's incredibly easy to capture your code.
With getters and setters, anyone can effectively intercept your functions. Using the deprecated
arguments.callee.callerproperty, an attacker can read the source of the function call, effectively getting access to the closure as defined at the top of this answer.Example:
您不能信任客户端硬件上运行的任何内容,也不能信任它。即使使用您给出的示例,任何人都可以轻松修改并重新加载您的脚本以进行作弊。那么,最好的选择就是不要为此付出任何额外的努力,而是正常编写应用程序并通过像 UglifyJS。 Rob 在他的回答中指出的匿名函数模式也很常见。
另外,关于 MD5 哈希值 - 不,即使它在“私有范围”中,您仍然可以在 JavaScript 调试器中查看和修改它。这里的要点是,由于 JavaScript 执行环境的整体性质,有人总是会作弊 - 只是您需要通过混淆代码来使作弊尽可能困难(显然使用预处理器)和其他类似的技术。
You can't trust anything that runs on the client's hardware, and that it. Even with the example you've given, anyone could easily modify and reload your script to cheat. Your best bet here, then is not to put any extra effort into this, but rather by writing your application normally and running it through a preprocessor like UglifyJS. The anonymous function pattern indicated by Rob in his answer is also common.
Also, about the MD5 hash thing - no, even if it's in "private scope" you can still view and modify it in a JavaScript debugger. The point here is that someone will always cheat because of the entire nature of the JavaScript execution environment - it's just that you'll need to make it as difficult as possible to cheat by obfuscating your code (obviously using a preprocessor) and other similar techniques.
JS 代码总是可用的,你可能想混淆你的代码以使作弊更加困难
JS code is always available, you may want to obfuscate your code to make cheating harder
只要有足够的时间,所有的安全措施都可以被规避。每项安全措施的目标都是增加破解所需的时间 Rob W 所说的会有帮助,但我建议您还投资于 JavaScript 的混淆/最小化,这将对分析所需的时间和精力产生更大的影响它并创建假的 ajax 请求而不是避免全局变量。
不过我同意基于 javascript 的应用程序永远不会非常安全。你能期待的最好结果就是“烦人的黑客行为”
如何混淆(保护)JavaScript?< /a>
All security can be circumvented with enough time. The goal of every security measure is to increase the time it takes to crack What Rob W says will help, but I suggest you also invest in obfuscation/minimization of your javascript which will have a much greater impact on the time and effort required to analyze it and create fake ajax requests than avoiding global variables.
However I concur that a javascript based application can never be very secure. The best you can hope for is "annoying to hack"
How can I obfuscate (protect) JavaScript?