Analysis and Prevention of web game plug-ins

Recently, Community edition web games have encountered many problems throughout the development process. These problems were also discovered by very careful users, and plug-ins were used to crack the gap. For example, I have mentioned in my previous blog "Web development security code never trust user input", because when a user buys a prop, the entire program misses the handling of negative numbers. Today, with another plug-in problem, we will talk about plug-ins in web games.

Plug-ins in web games are completely different from those in online games, requiring much simpler technology. Generally, the common method is to simulate HTTP data submission. Of course, this process requires you to know the front-end (flash) Request interface and the function of this request interface; the program automatically calls these interfaces in sequence.

For example, if you steal a friend's dish in a farm game, you need to access http://www.aaa.com/steal.php and then transfer the token a? B =c=d; then the following PHP script can achieve this effect (note that generally all programs need to log on, here you need to process the session -- id passed over there, which can be obtained using the two tools mentioned below)

$ Rr_url = 'HTTP: // www.aaa.com/steal.php'?function curlcookie ($ URL, $ cookie, $ post) {$ CH = curl_init (); curl_setopt ($ ch, curlopt_url, $ URL ); curl_setopt ($ ch, curlopt_header, false); $ cookie & curl_setopt ($ ch, curlopt_cookie, $ cookie); curl_setopt ($ ch, curlopt_post, true ); $ Post & curl_setopt ($ ch, curlopt_postfields, $ post); curl_setopt ($ ch, curlopt_returntransfer, true); $ res = curl_exec ($ ch); curl_close ($ ch ); return $ res;} $ cookie = ''; // This is the session_id $ post = http_build_query (Array ('A' => 'B ', 'c' => 'd); curlcookie ($ rr_url, $ cookie, $ post );
If you have clearly analyzed the entire game process (with patience), then write a series of such request scripts, and you can let the program run automatically. As for how to observe the details of each request, there are two tools. If Firefox is used, firebug is generally used; httpwatch is used under IE.
 
The above is the basic knowledge of web page development. To learn more, you need to understand the HTTP protocol. However, you can get started with the above knowledge; therefore, you do not need to manually play the game, so that the plug-in can help you implement it. To get more benefits, you need to find program vulnerabilities, which requires patience. For example, this game is a football game. You can play matches with others every day, but there are limits on the number of matches per day. You can play up to 30 matches a day. If you want to play a few more games for free, you need to find the vulnerability:
 
1. the simplest way: Starting from the competition interface, we first try to use a multi-concurrency program to constantly access this interface. The problem we encounter is that when PHP FastCGI is processing, because it is a single person with multiple requests:
A: determine the number of remaining sessions
B: Intermediate Code Execution
C: update the number of matches
Two requests have such a situation that I request is executing B. At this time, II Request executes a so that he can play more games, for such an operation, we can set the flag variable. In addition, the process of B is very short and there are not many opportunities for use.
PHP also has multi-threaded operations. The following is the multi-threaded version of the previous program.
 
function multiCurlCookie($url, $cookie, $post){$main = curl_multi_init();for($i=0; $i<THREADS; $i++){$ch[$i] = curl_init($url);curl_setopt($ch[$i], CURLOPT_URL, $url);curl_setopt($ch[$i], CURLOPT_HEADER, false);$cookie && curl_setopt($ch[$i], CURLOPT_COOKIE, $cookie);curl_setopt($ch[$i], CURLOPT_POST, true);$post  && curl_setopt($ch[$i], CURLOPT_POSTFIELDS, $post);curl_setopt($ch[$i], CURLOPT_RETURNTRANSFER, true);curl_multi_add_handle($main, $ch[$i]);}$running = 0;do{curl_multi_exec($main, $running);}while($running > 0);for($i=0; $i<THREADS; $i++){$s .= var_export(curl_multi_getContent($ch[$i]), true) . "\n";}file_put_contents('curl', $s);curl_multi_close($main);}
 
 
2. Find a place to update the number of matches. For example, this game is used to update the logic of the game session in a certain place, and the smart plug-in finds this problem, so it keeps playing the game with this vulnerability, after the game is completed, the maximum number of matches will be updated.
 
The following describes how to defend against such plug-ins:
1. perform detailed tests on the program
2. When modifying the program, we should consider it carefully. The vast majority of destructive behaviors are due to the fact that the program is not fully considered. At the same time, we have to admire the attention of these plug-ins.
3. Log sensitive information for future observation
 
We found that the system had a plug-in. We found the clues of intruders from those places:
1. php Error Log-check whether the user has illegal input, resulting in PHP errors
2. Access logging for nginx/Apache, check the user access program sequence and specific interfaces, and check whether there are possible vulnerabilities.
3. Keep your own logs. Generally, the program will record the logs of key parts to check whether some operations are normal. This item needs to be considered during program design.
4. Check the data in the database and observe that the user updates the data related to the user.
5. log records of database statements-for example, the bin. Log File in MySQL
 
Today, this problem occurs when you find that the database operation log file contains a large number of operations to update the game session, adjust your thinking, and find out a problem that was originally encountered during the update of the game session. That is, the logic of the program is not fully considered.
 
To put it simply, the core of the process is to fully consider the program design and pay attention to abnormal user behavior. The plug-in developers helped me find out what we did not test, so we found the problem as soon as possible and solved the problem. I did not mention other security issues here, such as management permission leaks caused by server and database operation permissions and PHP script attacks. These are the basic security measures that must be taken at the beginning of the program.