I hacked my own JavaScript game | Bypass Client side Game

June 9, 2018 Script hunter No comments exist

Bypassing a client side game is easy if you can gather some information and find the vulnerabilities location.Client side game is written with javascript+html+css,canvas,and with animation.

Game Details:

I developed a game named Crossover,Follow the above link for playing.Game is very simple with some obsticles and one brick and goal is escape obsticles to make a high score.When you got a position(rank),you will asked for your name then your name will public with your score that you made by playing this Javascript game.

Vulnerabilities Spot:

Have you noticed how does game update your score when you reaches to a high score? Game will send a ajax request to server and tell server to update score with given name.You can find ajax request in javascript code snippet(line no.170).Fun is that you can hold the request ,modify it and send to server again.PHP will compare your score with top high scorer,if your score is greater than top high scorer then you got a position on game.So this is a Client side request vulnerability which will help us to hack this game.

How did i Hack Crossover:

Method-1 | Simplest method:

What did i mention above in Vulnerabilities Spot,there is an ajax request for update score at line no-170 of javascript code snippet.

var name = prompt('You made a High Score,Please tell your name');
            var xhttp = new XMLHttpRequest();
            xhttp.onreadystatechange = function()
            {
                if(this.readyState == 4 && this.status == 200)
                {
                    printscore(this);
                    
                    
                }
            };
            xhttp.open('GET','/work/crossover/score.php?q='+name+'&r='+score,'true');
            xhttp.send();
						

Just fill url box like this http://cherryblog.in/work/crossover/score.php?q=your_name&r=your_score Example: http://cherryblog.in/work/crossover/score.php?q=shikari&r=20000 and hit enter,Boom.. You will get a XML file contains NAME and SCORE.Here you can find you name with first position without playing game.

Method-2 | Make request with python:

Code:
import requests
url = requests.get("http://cherryblog.in/work/crossover/score.php?q=shikari&r=20000");
if url.status_code == "200":
	print 'You Successfully Hacked!!';

Just excute this python script,You will get your high score with your name without playing the game.

See also:Break the jail & steal everything
Best Cyber security degree program 2018
Bypass Google's XSS game
She wanted to check security of her website i replied by hack that shit
How did i automate 2048 game of a Github's User

Leave a Reply

Your email address will not be published. Required fields are marked *