This is more “thinker” than problem.
I have a problem with thinking about how to secure javacript.
Let’s say I have this setup:
Main page with iframe in it
Iframe with content.
Now, Let’s say, user has to play a game in the iframe. After he finishes the game the iframe calls:
window.parent.givePrice();
The parent will show modal window:
function givePrice(){
jQuery('.mask').show();
jQuery('#won').show();
}
In this modal window they will have something like
Congratulations! you just won a brand new BMW! Click Here to get your price
And after he clicks on the link, his name gets signed (by ajax – not relevant) into Database table “winners”.
(Please remember, this is just an example).
Now This all sounds great, but I can see so many security holes in this. For example if I use firebug and write “givePrice();” it shows me directly the modal that I won, even though I didn’t touch the game at all.
Can someone discuss, what would be the best way to secure example like this?
Thank you
The only way to prevent someone cheating is to have the action of making a guess (or whatever it is that lets them “win”) be a round-trip to the server:
If you want to make winning and accepting the win separate steps, you’d do that with another round-trip. On the first trip, the server generates a unique acceptance code and records that the user won and what their acceptance code is on the server. On the second trip, which involves the page sending back the code, checks the code (and several other fraud checks) and records the user accepted.
There’s no secure way to do this client-side-only. Remember you can’t trust anything sent from the client.