My mother loves to play boggle. I see her play the same boggle game online every day for hours at a time. The site of choice is http://www.fun-with-words.com
While playing some games I came across a little something when you submit your score. It looked too good to be true:
See it? The score is stored locally in a variable inside a hidden form field. By the way, I’m using the Web Dev Firefox extension to show all form field information.
What if we change this value to the high score?
Lets see what happens….
That’s right. No validation. It takes our high score without any questions. How can this
be prevented? For one thing, not storing the score in a hidden form field. I see a lot of
flash games that just send post data of high scores as plain text. This can be mimicked
with any programming language capable of producing an http request. The only way to
defeat this would be some sort of hash value sent long side the answers that verifies the
variables haven’t been modified.
Its a slow night when it comes down to cheating at word games 😛