JeremyRH

Bypassing a Browser Game's Client-Side Security

Not long ago, I used to play a real-time multiplayer browser game called TagPro. The architecture is fairly standard for real-time multiplayer games. The browser opens a websocket connection to a server and user input is sent over the open connection. The server runs all the game logic and sends the game state to each browser several times a second.

Client-Side Security

There are two separate versions of the JavaScript bundle that powers the TagPro client: a competitive version with client-side security and a casual version without. A toggle in private games enables the competitive version. The JavaScript for TagPro's competitive scene has a few security measures in place to prevent third-party script execution. The first security measure is not exposing the game object globally by wrapping the game.js bundle in a self-executing function:

(function init() {
  // game.js
  var tagpro = {
 ...

mchow01

• 2010: "Universities push to turn out cyber guards as demand explodes" https://triblive.com/x/pittsburghtrib/news/education/s_698162.html
• 2011: "Will There Be A Shortage of Cyber Security Professionals in 2011?" https://www.csoonline.com/article/2228141/cisco-subnet/will-there-be-a-shortage-of-cyber-security-professionals-in-2011-.html
• 2012: "CEO Warns of Security Pro Shortage" https://www.securitymagazine.com/articles/83198-ceo-warns-of-security-pro-shortage
• 2013: "RSA 2013: Cyber security skills shortage needs urgent attention, says DoHS" https://www.computerweekly.com*/news/2240178584/RSA-2013-Cyber-security-skills-shortage-needs-urgent-attention-says-DoHS
• 2014: "Shortage of cybersecurity workers is a problem that will solve itself, study says" https://www.washingtonpost.com/business/capitalbusiness/an-argument-that-the-shortage-of-cyber-workers-is-a-problem-that-will-solve-itself/2014/06/27/dbab364a-fe00-11e3-8176-f2c941cf35f1_story.html?noredirect=on&utm_term=.649a29ac61aa < WTF?!?!?
• 2014: "Sh