Global window integrity in Javascript

Asked

Viewed 118 times

1

I am working with online games in browsers and need to make the client a safer environment...

Initially I think of the root that is the Global window, how to maintain its integrity before its values already defined by the browser but with possibility to change, example:

by: https://stackoverflow.com/questions/11403107/capturing-javascript-console-log

let oldLog = console.log;

    console.log = function (message) {

            // DO MESSAGE HERE.

            // CODIGO CAPITURA
            oldLog('CAPITURA')

            oldLog.apply(console, arguments);

    };

    console.log('teste')

I know I can’t freeze all properties but I intend to freeze native functions and values if possible, immutable values, so I use existing functions and gain performance decreasing memory cost...

communicate with the server sent to the data stack to return the unique value integrity keys or other way that I do not know yet... there are other security factors like Global window and very delicate and great, I have a long way to go...

I would like to update some information, I found something very interesting of one of the engineers of Google, practices that really leave the code private and safe besides being efficient in the cleaning of memory, applied with Iifes:

https://philipwalton.com/articles/implementing-private-and-protected-members-in-javascript/

  • 5

    You can do a few tricks, but I’m not going to keep suggesting such a thing that I see as absurd and an unnecessary thought, because if it was to be done and was efficient or even if you want useful, everyone would do it, you don’t have much to worry about it, simply do not work with global scope, isolate variables in a scope, such as the use of IIFE (https://developer.mozilla.org/en-US/docs/Glossary/IIFE), and control everything from there and ready, if you have to release something in the global will be last case.

  • Great, I already practice this technique but had no details of them, thanks @Guilhermenascimento!

  • I’m not voting to close because there are people looking for it. But I don’t understand the purpose of memorizing native calls this is interesting closed in proprietary API but doing this in native code can lead to unexpected behavior and undetectable bugs.

  • So explain more because maybe we don’t have the same vision as you, also I can tell you, the reason is that I’m creating an mmorpg and my main goal to bring it to the browser besides being multi-platform, but accurate makes the environment more secure and makes it difficult to change a function and spy the data by changing the native functions I use. Integrity check data will be loaded via cors and then dumped in the trash.

  • I’d just like to leave an opinion that I see in many that there are more points here in Stack! Just for the reason that you can deny a question or doubt, do without trying to really understand the real reason, as you said, "I will not close...", maybe you can be very good at what you do but maybe you can also be failing to see things either just want to negativate what you don’t understand, be humble!

  • 2

    I did not understand your accusation. I did not deny your question I found you in analysis queue for closing already with three votes to close. I left the observation for anyone who found it not to close it because even though I find a device innocuous and that causes problems of difficult detection during development, there is a search and probably a reason. You claimed yours, even if it doesn’t make sense because it has zero impact on security if the person is willing to modify the behavior of the script he simply makes manipulated the script before starting or uses Vimion.

  • I didn’t accuse you, but I did say what I see here. Coming back to the subject, I think you still don’t understand! You can modify quietly but the integrity check will know!

  • One more remark because there is a contradiction, you say that it may generate bugs or errors... but in fact who will be trying to modify the script in the case here at Global window and someone who should not do, for what reason would make a change to a script that is working? The answer we already know!

  • 1

    I assume every client will mess with the system at some point. I do not think it prudent to mount client-side security devices, even more game where players use custom browser for advantage. Unless it is a Honey pot and every check of the received information occurs on the server side and the client modifies on your machine is only on your machine..

  • Precisely @Augustovasques, so I want to make difficult the work of this type of user, if he edit something the system will indicate that he should not do and if it continues will be blocked, I also send the data that he tried to edit for study and improvement of integrity security.

  • 1

    When I want to cheat in some online game I create two instances of the source one for integrity check, and other checks, and another instance only to send modified HTTP. If the game does not hold a dice conference when receiving I do what you want.

Show 6 more comments

1 answer

2


Some ideas that are used to make the code more secure (the first refers to your example, and properties of window) :

  • records the window properties as immutable

At work we did so:

 const defineConstantProperty = function(key, value){
    Object.defineProperty(window, key, {
        value: value,
        writable: false,
        enumerable: true,
        configurable: false
    });
};

defineConstantProperty('propriedade', {% valor %});

and you can even test that in your example:

const defineConstantProperty = function(key, value, obj) {
  Object.defineProperty(obj || window, key, {
    value: value,
    writable: false,
    enumerable: true,
    configurable: false
  });
};

defineConstantProperty('console', console);
defineConstantProperty('log', console.log, console);

let oldLog = console.log;

console.log = function(message) {
  oldLog('CAPITURA')
  oldLog.apply(console, arguments);
};

console.log('teste')

  • use Iifes to avoid variables in the global scope (you can read more here)

  • use const to prevent variables from being written

  • use let and const the advantages of its block scope

  • never trust what comes from the client, always check on the server

  • avoid having sensitive information in Urls or variables, always use indicators (ids you can use on the server) instead of sensitive information

  • Great @Sergio, if possible, send me more tips here to get more security details you know, what you think, should I remove from the window to avoid entries and make it difficult, as I think, should remove EVAL that I don’t use, work with modules and workers serviceWorker not to lock because it works in the background.

  • 1

    @Robertcezar is difficult to put it all together in one answer. O eval is a basic rule yes, the serviceWorker has to do with the user experience not so much with second, avoid window Yes, I mentioned it so.

  • Just a doubt that arose, let’s take the example, you said there "avoid window yes" that means that I should not create var in the global scorpo but I can use with confidence the functions of global as Worker or Consolo once I apply the above method that passed me defineConstantProperty, ok? If not, then I have to create my existing methods in the global put in the private and protected IIFE, polymorphism type?

  • 1

    @Robertcezar you can trust if you use defineConstantProperty. Another trick that was used before was to create an iframe and copy the methods of window iframe since the browser always creates an iframe with native methods.

  • Right, but I don’t think it’s necessary to create iframe, because I confirm that the value is actually equal to the native value, correct me if I’m wrong, for example: the native value of window.requestAnimationFrame is function requestAnimationFrame() { [native code] } if I try to access it, then I think about doing a simple type check, String(window.requestAnimationFrame) === 'function requestAnimationFrame() { [native code] }' ... this after using defineConstantProperty

  • @Robertcezar sounds good

Show 1 more comment

Browser other questions tagged

You are not signed in. Login or sign up in order to post.