{"id":148,"date":"2012-04-17T04:10:29","date_gmt":"2012-04-17T04:10:29","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=148"},"modified":"2012-04-21T08:28:49","modified_gmt":"2012-04-21T08:28:49","slug":"how-to-cheat-fun-with-words-com","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2012\/04\/how-to-cheat-fun-with-words-com\/","title":{"rendered":"How to cheat fun-with-words.com"},"content":{"rendered":"

My mother loves to play boggle. I see her play the same boggle game online every day for hours at a time. The site of choice is http:\/\/www.fun-with-words.com<\/p>\n

While playing some games I came across a little something when you submit your score. It looked too good to be true:<\/p>\n

\"\"<\/a><\/p>\n

See it? The score is stored locally in a variable inside a hidden form field. By the way, I’m using the Web Dev Firefox extension to show all form field information.<\/p>\n

What if we change this value to the high score?<\/p>\n

\"\"<\/a><\/p>\n

Lets see what happens….<\/p>\n

\"\"<\/a><\/p>\n

That’s right. No validation. It takes our high score without any questions. How can this<\/p>\n

be prevented? For one thing, not storing the score in a hidden form field. I see a lot of<\/p>\n

flash games that just send post data of high scores as plain text. This can be mimicked<\/p>\n

with any programming language capable of producing an http request. The only way to<\/p>\n

defeat this would be some sort of hash value sent long side the answers that verifies the<\/p>\n

variables haven’t been modified.<\/p>\n

 <\/p>\n

Its a slow night when it comes down to cheating at word games \ud83d\ude1b<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

My mother loves to play boggle. I see her play the same boggle game online every day for hours at a time. The site of choice is http:\/\/www.fun-with-words.com While playing some games I came across a little something when you submit your score. It looked too good to be true: See it? The score is […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[8,10,9],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/148"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=148"}],"version-history":[{"count":2,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/148\/revisions"}],"predecessor-version":[{"id":155,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/148\/revisions\/155"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}