R – Flash – FileReference, Upload multiple files at once

This is a classic problem with Internet games and contests. Your Flash code works with users to decide a score for a game. But users aren't trusted, and the Flash code runs on the user's computer. You're SOL. There is nothing you can do to prevent an attacker from forging high scores:

• Flash is even easier to reverse engineer than you might think it is, since the bytecodes are well documented and describe a high-level language (Actionscript) --- when you publish a Flash game, you're publishing your source code, whether you know it or not.

• Attackers control the runtime memory of the Flash interpreter, so that anyone who knows how to use a programmable debugger can alter any variable (including the current score) at any time, or alter the program itself.

The simplest possible attack against your system is to run the HTTP traffic for the game through a proxy, catch the high-score save, and replay it with a higher score.

You can try to block this attack by binding each high score save to a single instance of the game, for instance by sending an encrypted token to the client at game startup, which might look like:

hex-encoding( AES(secret-key-stored-only-on-server, timestamp, user-id, random-number))

(You could also use a session cookie to the same effect).

The game code echoes this token back to the server with the high-score save. But an attacker can still just launch the game again, get a token, and then immediately paste that token into a replayed high-score save.

So next you feed not only a token or session cookie, but also a high-score-encrypting session key. This will be a 128 bit AES key, itself encrypted with a key hardcoded into the Flash game:

hex-encoding( AES(key-hardcoded-in-flash-game, random-128-bit-key))

Now before the game posts the high score, it decrypts the high-score-encrypting-session key, which it can do because you hardcoded the high-score-encrypting-session-key-decrypting-key into the Flash binary. You encrypt the high score with this decrypted key, along with the SHA1 hash of the high score:

hex-encoding( AES(random-128-bit-key-from-above, high-score, SHA1(high-score)))

The PHP code on the server checks the token to make sure the request came from a valid game instance, then decrypts the encrypted high score, checking to make sure the high-score matches the SHA1 of the high-score (if you skip this step, decryption will simply produce random, likely very high, high scores).

So now the attacker decompiles your Flash code and quickly finds the AES code, which sticks out like a sore thumb, although even if it didn't it'd be tracked down in 15 minutes with a memory search and a tracer ("I know my score for this game is 666, so let's find 666 in memory, then catch any operation that touches that value --- oh look, the high score encryption code!"). With the session key, the attacker doesn't even have to run the Flash code; she grabs a game launch token and a session key and can send back an arbitrary high score.

You're now at the point where most developers just give up --- give or take a couple months of messing with attackers by:

• Scrambling the AES keys with XOR operations

• Replacing key byte arrays with functions that calculate the key

• Scattering fake key encryptions and high score postings throughout the binary.

This is all mostly a waste of time. It goes without saying, SSL isn't going to help you either; SSL can't protect you when one of the two SSL endpoints is evil.

Here are some things that can actually reduce high score fraud:

• Require a login to play the game, have the login produce a session cookie, and don't allow multiple outstanding game launches on the same session, or multiple concurrent sessions for the same user.

• Reject high scores from game sessions that last less than the shortest real games ever played (for a more sophisticated approach, try "quarantining" high scores for game sessions that last less than 2 standard deviations below the mean game duration). Make sure you're tracking game durations serverside.

• Reject or quarantine high scores from logins that have only played the game once or twice, so that attackers have to produce a "paper trail" of reasonable looking game play for each login they create.

• "Heartbeat" scores during game play, so that your server sees the score growth over the lifetime of one game play. Reject high scores that don't follow reasonable score curves (for instance, jumping from 0 to 999999).

• "Snapshot" game state during game play (for instance, amount of ammunition, position in the level, etc), which you can later reconcile against recorded interim scores. You don't even have to have a way to detect anomalies in this data to start with; you just have to collect it, and then you can go back and analyze it if things look fishy.

• Disable the account of any user who fails one of your security checks (for instance, by ever submitting an encrypted high score that fails validation).

Remember though that you're only deterring high score fraud here. There's nothing you can do to prevent if. If there's money on the line in your game, someone is going to defeat any system you come up with. The objective isn't to stop this attack; it's to make the attack more expensive than just getting really good at the game and beating it.

It is up to the browser but they behave in similar ways.

F5 usually updates the page only if it is modified. Modern browsers sends Cache-Control: max-age=0 to tell any cache the maximum amount of time a resource is considered fresh, relative to the time of the request.

CTRL-F5 is used to force an update, disregarding any cache. Modern browsers sends Cache-Control: no-cache and Pragma: No-cache

If I remember correctly it was Netscape which was the first browser to add support for cache-control by adding Pragma: No-cache when you pressed CTRL-F5.

┌───────────┬──────────────┬─────┬─────────────────┬──────────────────────────────┐
│ Version 4 │      F5      │  R  │      CLICK      │ Legend:                      │
│2021 MAY 19├──┬──┬──┬──┬──┼──┬──┼──┬──┬──┬──┬──┬──┤ C = Cache-Control: no-cache  │
│           │  │S │C │A │A │C │C │  │S │C │A │A │C │ I = If-Modified-Since        │
│           │  │H │T │L │L │T │T │  │H │T │L │L │T │ M = Cache-Control: max-age=0 │
│           │  │I │R │T │T │R │R │  │I │R │T │T │R │ N = Not tested               │
│           │  │F │L │  │G │L │L │  │F │L │  │G │L │ P = Pragma: No-cache         │
│           │  │T │  │  │R │  │+ │  │T │  │  │R │+ │ - = ignored                  │
│           │  │  │  │  │  │  │S │  │  │  │  │  │S │                              │
│           │  │  │  │  │  │  │H │  │  │  │  │  │H │ With 'CLICK' I refer to a    │
│           │  │  │  │  │  │  │I │  │  │  │  │  │I │ mouse click on the browsers  │
│           │  │  │  │  │  │  │F │  │  │  │  │  │F │ refresh-icon.                │
│           │  │  │  │  │  │  │T │  │  │  │  │  │T │                              │
│           │  │  │  │  │  │  │  │  │  │  │  │  │  │ 1: Version 3.0.6 sends I     │
├───────────┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┤    and C, but 3.1.6 opens    │
│Brave 1.24 │M │CP│CP│- │- │M │CP│M │CP│CP│M │CP│CP│    the page in a new tab,    │
├───────────┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┤    making a normal request   │
│Chrome 1   │MI│MI│MI│- │- │MI│- │MI│MI│MI│MI│MI│N │    with only I.              │
│Chrome 6   │MI│CP│CP│- │- │MI│CP│MI│CP│CP│MI│- │N │ 2: Version 10.62 does        │
│Chrome 90  │M │CP│CP│- │- │M │CP│M │CP│CP│M │CP│CP│    nothing. 9.61 might do C  │
├───────────┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┤    unless it was a typo in   │
│Edge 90    │M │CP│CP│- │- │M │CP│M │CP│CP│M │CP│CP│    my old table.             │
├───────────┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┤ 3: Opens the currernt tab in │
│Firefox 3.x│MI│- │CP│- │- │MI│CP│MI│CP│1 │M │MI│N │    a new tab, but does not   │
│Firefox 89 │M │- │CP│- │M │M │CP│M │CP│3 │M │M │3 │    refresh the page if it is │
├───────────┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┤    cached in the browser.    │
│MSIE 8, 7  │I │- │C │- │I │I │  │I │I │C │I │I │N │                              │
├───────────┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┼──┤                              │
│Opera 10, 9│C │- │- │2 │- │C │- │C │C │C │C │- │N │                              │
│Opera 76   │M │CP│CP│- │- │M │- │M │CP│CP│M │CP│CP│                              │
├───────────┴──┴──┴──┴──┴──┴──┴──┴──┴──┴──┴──┴──┴──┴──────────────────────────────┤
│                    https://stackoverflow.com/a/385491/36866                     │
└─────────────────────────────────────────────────────────────────────────────────┘

Note about Chrome 6.0.472: If you do a forced reload (like CTRL-F5) it behaves like the url is internally marked to always do a forced reload. The flag is cleared if you go to the address bar and press enter.