Flash ---> POST ---> PHP form - Which IP Address is Passed?

[rnc505]

Okay. I have a project that I am building. It is a game. I know that flash games are extremely insecure in score posting via POST/GET, but I'm not worried about the data getting changed, what I'm worried about is how many requests there are and from where they are originating.

When flash sends a HTTP request via POST/GET, and a php script were to run a ip address check, would it show the ip address of the server the game was hosted on OR the vistitors IP address?

Thanks.

[MyFriendIsATaco]

Visitor's IP.

[rnc505]

Visitor's IP.

Even if you were to use loadVars and sendAndLoad , which do not open a new browser window/tab for the visitor?

----


EDIT: Can a swf detect the ip address of the server that it is being hosted on? If that is so, then the ip address can be sent in a POST request and compared to the server's ip address from the php code?

Also, can flash do MD5 encoding?

[MyFriendIsATaco]

Yes, no, and yes.

To answer the MD5 question, you just need a class to take care of it for you. Luckily, Adobe released an as3corelib package that includes the MD5 class, as well as SHA1 and a bunch of other little helpful utilities: http://code.google.com/p/as3corelib/

MD5 will be in com.adobe.crypto.MD5.

[rnc505]

Yes, no, and yes.

To answer the MD5 question, you just need a class to take care of it for you. Luckily, Adobe released an as3corelib package that includes the MD5 class, as well as SHA1 and a bunch of other little helpful utilities: http://code.google.com/p/as3corelib/

MD5 will be in com.adobe.crypto.MD5.

Is anyway at ALL of detecting the IP Address of where the swf was downloaded from? This would be the ONLY way of making the foolproff system I'm looking for?

[MyFriendIsATaco]

Nope, you'll need another way to enhance security.

[MyFriendIsATaco]

If you're just trying to limit the number of requests being made, why not just log the requests in your database along with the user's IP address, and make sure they don't go over a certain limit, like, 1000/hr or something per user? That wouldn't be very hard at all.

[rnc505]

If you're just trying to limit the number of requests being made, why not just log the requests in your database along with the user's IP address, and make sure they don't go over a certain limit, like, 1000/hr or something per user? That wouldn't be very hard at all.

Normally I would agree, but the people who would try to hack it would use proxy servers to mask their ip address. I will do this also to stop multiple score sends from the same ip address happening within seconds from each other (even with a great player, it takes atleast 5 secs to go from start to send score).


Thank you for all of your help. Normally I am not like this but I was wondering if you could help me further. I posted another thread (not a repost of this one - its a different problem, but same topic) http://board.flashkit.com/board/showthread.php?t=807589 and I was wondering if you could be of help.

I'm not usually like this: hasty and impatient, but this project I am working on, which doesn't have a deadline, is one of those mindboggling projects that really gives you a headache 93% of the time that you not only want to finish but need to finish especially when your future depends on it. The project I'm working on is a charity game/site, that in essence will donate to charity (long story on the inner mechanics) and will look really good for my future. My deadline isn't today, tomorrow or the next day, but the sooner the better.

Thanks so much MyFriendIsATaco! If you are able to help with my other thread, thank you in advance - you don't know much grateful I truly am, but if you can't, than thank you for trying and for all the help you've given me so far.

[Musicman]

Hi,

with regards to your other post: at least where I live, fixed IP addresses are not that common, so any logic that is based on IP address may not work reliably.

Now, in your scenario, you have a movie that might want to send its _url property to a server, along with other variables. Now, as long as regular loadvars POST is used, a silly html form could send the exact same data. If you want to protect the data by the presence of MD5 (or any other hash), an attacker would just have to calculate the same hash - perhaps via some javascript function
A simple step to make things harder would be to replace the loadvars by something else, say AMF (remoting): an attacker would have to create a flash movie instead of a html form in order to submit bogus results (and unlike html forms, submission engines for AMF are not readily available)
However, all the logic in your movie (including whatever you design to send values to the server) is still open to an attacker - they can run buraks on the movie

At a time where decompiling movies was a big trend, I have tried a different route: every single copy of the movie is different because it includes a hard-coded scrambling algorithm (like a unique key and a common crypt algorithm merged). As the server generates that movie, it saves data needed to unscramble - with a short expiry time. This means that the game must be completed within a short time after loading it. This also means that someone who just downloads and decompiles the movie would not be happy at all ... and someone who detects the trick would have to be very quick. Have a look at http://www.fontimages.org.uk/flash/hiscore/

Musicman

[rnc505]

Musicman - can you give me some more info onto this?
thnaks

[rnc505]

Hey Musicman -

I'm done some reading and found out that SSL prevents applications like Tamper Data or other packet sniffers from finding and changing POST data - its all secure.

Is there a way that I can output a swf from a php file such that it can't be downloaded in the cache because of SSL?



EDIT: BTW I was able to decompile your SWF and found out that to send the score it sends it to result.php?str=. Now, I didn't search deep enough to figure out how to figure out the variable to find the str=, but see my problem is different than yours.

I don't care if people want to change their score because my game only gets submitted when they win (its a win/lose game - hangman). Its a charity type site and for every valid score submit x cents are donated to charity. And since my game isn't score based, the way to cheat it and the site is to make many many "win" requests.

So therefore, the only way to make it foolproof is for it to be atleast one of the following: 1) PHP checks to see where the ip address of the score submit is originating from (this would work if on a loadVars/sendAndLoad POST request the originating ip were the server the swf was hosted on rather than the clients ip), 2) the swf file is completely undecompilable (which is impossible because it is clientside and therefore not decompileproof - if this were possible then, paired with SSL, they would not be able to know where the php request was going to or that I have a javascript function double checking what the php POST is sending [more info about this idea @ http://board.flashkit.com/board/showthread.php?t=807589 ]) or 3) flash has the ability to write to a serverside .txt file that would double check what the post method sent - IMPOSSIBLE flash is clientside....

So yea.....

Your idea might work but i don't know if it is applicable to me. THank!

[Musicman]

Hi,

did you decompile two different copies of the movie? They are different....
So the technique might still be useful. I imagine this approach: when the movie is loaded, a random value is created and entered into a database. This random value translates into
a) a hardcoded function to calculate a string of gibberish which includes some data points to find it inside the database
b) a recipe to verify that such string of gibberish indeed corresponds to a database entry
I would, however, look into a simpler approach for your case - server sessions:
as the html page containing the movie is sent, a session cookie is set too. Now, when the game is submitted, the cookie value is sent back, and the server can verify whether it issued that particular session value. Also, on a win request, it seems safe to delete the server side item so that one cannot win the same game twice.
Regular php sessions have a life time of 15 minutes

Musicman

[rnc505]

Hi,

did you decompile two different copies of the movie? They are different....
So the technique might still be useful. I imagine this approach: when the movie is loaded, a random value is created and entered into a database. This random value translates into
a) a hardcoded function to calculate a string of gibberish which includes some data points to find it inside the database
b) a recipe to verify that such string of gibberish indeed corresponds to a database entry
I would, however, look into a simpler approach for your case - server sessions:
as the html page containing the movie is sent, a session cookie is set too. Now, when the game is submitted, the cookie value is sent back, and the server can verify whether it issued that particular session value. Also, on a win request, it seems safe to delete the server side item so that one cannot win the same game twice.
Regular php sessions have a life time of 15 minutes

Musicman

On a different post of your on a different thread you talked about something like swf.swf?var1=v1&var2=v2.

Is there are way you can do this without the client knowing the value of var1 or var2

[Musicman]

Hi,

well - before I came up with this code, I made something to add variables into a movie: if one decompiles the movie, one would see
var var1 = 'v1';
var var2 = 'v2';
The idea there was not really hiding in the first place, but rather making a movie that can be sent around, placed on someone's desktop, etc., with the variables protected from alteration. Now, if the data is temporary and unique, decompiling would not help a cheater.

Musicman

[rnc505]

Hi,

well - before I came up with this code, I made something to add variables into a movie: if one decompiles the movie, one would see
var var1 = 'v1';
var var2 = 'v2';
The idea there was not really hiding in the first place, but rather making a movie that can be sent around, placed on someone's desktop, etc., with the variables protected from alteration. Now, if the data is temporary and unique, decompiling would not help a cheater.

Musicman

How could you make the data temportary/unique without the cheater seinge a html code or intercept a php request that would contain such data.

Im not worrying more about the guy seeing it, but I want him to be unable to make a malicious php script or something of that likes and be able to send numerous requests per second because he decompiled the swf, knew what variables we're needed, then scraped the data, put it in one php POST request and then just keeps send the data.

SessionID may work because he cannot create a php script that would be able to scrape his sessionid and each time they reach a page they would recieve a new one.

How coudl I do that?

[Musicman]

Hi,

first of all I am able to get the session id - my browser does it for me all the day...
I do not know any data that the server might correlate with that session id.

So, the approach would be to create a session on the server, populate it with random data, and pack some other data into the movie.
Now, the movie finally sends data back, along with the session id, and the server can verify that the data received match the session (and destroy the session - one would not win the same game twice)
Still trying to cheat? Well, the added data just sits there in the movie. While downloading, monitoring the session id, decompiling certainly is not a feasible way, one could study the downloaded movie and devise some sort of "regex matching" to extract the relevant data. Of course this means that a dedicated technical-minded attacker with enough knowledge about the inner workings of a swf file was at work.
Once the method was worked out, the attacker would wirte a program to connect to the server, request the index page and the movie, analyze the movie, ...

So, lets add one more step: there is not just data in the swf (that is assigning fixed values to some vars) but some actual calculations. Now the attacker would need to analyze the entire script (this is possible - you can get open source decompiler to start with) and then execute it - looks like either writing a minimal VM (the scripts would probably not use the full power of AS) or trying to integrate what Adobe makes available. Seems like too much effort for cracking a game ... maybe if the winner got the keys to Fort Knox

Musicman

[rnc505]

Hi,

first of all I am able to get the session id - my browser does it for me all the day...
I do not know any data that the server might correlate with that session id.

So, the approach would be to create a session on the server, populate it with random data, and pack some other data into the movie.
Now, the movie finally sends data back, along with the session id, and the server can verify that the data received match the session (and destroy the session - one would not win the same game twice)
Still trying to cheat? Well, the added data just sits there in the movie. While downloading, monitoring the session id, decompiling certainly is not a feasible way, one could study the downloaded movie and devise some sort of "regex matching" to extract the relevant data. Of course this means that a dedicated technical-minded attacker with enough knowledge about the inner workings of a swf file was at work.
Once the method was worked out, the attacker would wirte a program to connect to the server, request the index page and the movie, analyze the movie, ...

So, lets add one more step: there is not just data in the swf (that is assigning fixed values to some vars) but some actual calculations. Now the attacker would need to analyze the entire script (this is possible - you can get open source decompiler to start with) and then execute it - looks like either writing a minimal VM (the scripts would probably not use the full power of AS) or trying to integrate what Adobe makes available. Seems like too much effort for cracking a game ... maybe if the winner got the keys to Fort Knox

Musicman

Yea over the past few days Im starting to realize that hackers have much better things to do with their time. Sure I'm gonna make it help for ametuers but if a dedicated hacker really wants to get into it - all power to him. and its not like a win for me = a prize for them so there isn't much motivation ya know? Also if I encrypt the swf using irrFuscator or something similar - will that help?

Thanks again!

[Musicman]

Hi,

I am not too convinced of obfu, and not of decompilers either.
However, you will typically find people that know how to operate these beasts and have never seen a "mangle data" tool or heard about server sessions - and you will also find people who know how to deal with the server and communication side but do not know much about flash.
So by mixing elements of both, you will probably get rid of the amateurs. That is the level of adding random vars to the movie (so it decompiles differently every time) and expecting them back.
Now, there is another - perhaps simple - approach at cheating: load the original movie (including any protections it might have built in) and then - somehow - ask it to call its win function. The common "same origin" policy helps a lot against attacks - so think twice about crossdomain.xml files

Musicman

[rnc505]

Hi,

I am not too convinced of obfu, and not of decompilers either.
However, you will typically find people that know how to operate these beasts and have never seen a "mangle data" tool or heard about server sessions - and you will also find people who know how to deal with the server and communication side but do not know much about flash.
So by mixing elements of both, you will probably get rid of the amateurs. That is the level of adding random vars to the movie (so it decompiles differently every time) and expecting them back.
Now, there is another - perhaps simple - approach at cheating: load the original movie (including any protections it might have built in) and then - somehow - ask it to call its win function. The common "same origin" policy helps a lot against attacks - so think twice about crossdomain.xml files

Musicman

BOOM - thats what I was looking for CROSSDOMAIN policies! How can I make it such that it restricts requests to only be accepted from something (in this case a flash file) that is download from the same server?

This would help soo much and be the only thing I'd need pretty much...

thanks Musicman
rnc505

[Musicman]

Hi,

the normal behaviour (without such a file): a flash movie can only send to the server it was loaded from; if you put http://somesite.com/win.php into a movie that is loaded from three different web sites, you need a crossdomain file on the php host to allow these accesses.
This is behaviour built into flash plugin; the system does not stop a person who uses a non-flash submission program, but NOT allowing access to anything other than the origin server might make it harder to use javascript or another movie to control a movie.
Nowadays there is some sandbox concept too. I am not sure but I believe the default behaviour disallows access (so a movie loaded from the attacker's server could load a movie from your server but not control it) - be sure not to allow anything here either.

Musicman