+- Mirage Source (https://mirage-engine.uk/forums)
+-- Forum: Mirage Source (Nostalgia) (https://mirage-engine.uk/forums/forumdisplay.php?fid=61)
+--- Forum: Archive (2006-2011) (https://mirage-engine.uk/forums/forumdisplay.php?fid=18)
+---- Forum: General (https://mirage-engine.uk/forums/forumdisplay.php?fid=17)
+---- Thread: Security flaws in MS (/showthread.php?tid=1519)
Security flaws in MS - Joost - 19-01-2008
http://web.miragesource.com/forums/viewtopic.php?f=75&t=1500
So editing only client-side, you can walk trough other players. Seems like a vurnable thingy.
Also, I'll use this topic to tell you people you're dumb. I've seen people add really nice secutity to their game, encrypting all packets, and other shit. It's not neccesary. If a server checks if all packets send by the client make sense, you dont need any form of security. Security = waste of memory, bandwith, etc. Proper server is all you need.
Re: Security flaws in MS - Robin - 19-01-2008
lol okay.
Re: Security flaws in MS - Coke - 19-01-2008
Joost Wrote:http://web.miragesource.com/forums/viewtopic.php?f=75&t=1500
So editing only client-side, you can walk trough other players. Seems like a vurnable thingy.
Also, I'll use this topic to tell you people you're dumb. I've seen people add really nice secutity to their game, encrypting all packets, and other [edit]. It's not neccesary. If a server checks if all packets send by the client make sense, you dont need any form of security. Security = waste of memory, bandwith, etc. Proper server is all you need.
Well, just to point out a lot of us people can spell... also,
if i send a packet to the server triggering the giveaccess event procedure, how can the server figure out if thats dumb or not? Its in the game so it makes sense.
Re: Security flaws in MS - Rezeyu - 19-01-2008
How does security waste bandwith?
Unless you have packets going back and forth to confirm things, it shouldn't use up any at all.
:roll:
Re: Security flaws in MS - Spodi - 19-01-2008
Depending on the security scheme, it can.
Re: Security flaws in MS - Dragoons Master - 19-01-2008
Just by encrypting your packets, they get very large(sure it depends on the encryption method).
Re: Security flaws in MS - Spodi - 20-01-2008
I probably would never use any encryption on a packet that results in inflation. One example is XOR, which is probably also one of the fastest encryptions. Another is RC4 which is used in SSL and WEP. Though, of course, these are not as secure, but there are plenty others out there. But packet encryption is never something you want to worry about too much - even XOR will hold off tons of people. The most important thing about packet encryption is to randomize the packets so encrypting packet A twice will result in two different packets. This can be done with rotating keys, or if you want to add inflation, rotating salts.
Re: Security flaws in MS - Matt2 - 20-01-2008
I'm lost. Why is my tut here?
Re: Security flaws in MS - Spodi - 20-01-2008
I think it is because that tutorial shows that you can easily hack your position via purely the client.
Re: Security flaws in MS - Matt2 - 20-01-2008
Oh.
Server-side check, anybody?
Oh well, Joost doesn't understand. n.n
I did say this was a basis. Mine, PDoA's, uses a client/server check before anything is done. =]
Re: Security flaws in MS - Joost - 20-01-2008
Matt Wrote:Server-side check, anybody?
That's exactly my point. dumbass.
Quote:if i send a packet to the server triggering the giveaccess event procedure, how can the server figure out if thats dumb or not? Its in the game so it makes sense.Server should check if person giving access has the proper authority.
Just like with walking, server should confirm the player is only moving once a sevond, to a nearby tile. Same with attacking. If server confirms EVERY packet possible, you can make your game open source, have no security at all and your game would be unhackable.
Re: Security flaws in MS - Coke - 20-01-2008
Joost Wrote:Matt Wrote:Server-side check, anybody?
That's exactly my point. [edit].
Quote:if i send a packet to the server triggering the giveaccess event procedure, how can the server figure out if thats dumb or not? Its in the game so it makes sense.Server should check if person giving access has the proper authority.
Just like with walking, server should confirm the player is only moving once a sevond, to a nearby tile. Same with attacking. If server confirms EVERY packet possible, you can make your game open source, have no security at all and your game would be unhackable.
Thats not true at all, since all of these servers (that i have played thus far) can get boned just by sending a slightly different acc create packet.
Re: Security flaws in MS - Rezeyu - 20-01-2008
Just make sure everything is numeric or string as it's supposed to be, and that each packet contains the right number in the parse array.
If either fails, kick them.
That's how mine are set up.
Re: Security flaws in MS - Joost - 20-01-2008
Fox Wrote:Thats not true at all, since all of these servers (that i have played thus far) can get boned just by sending a slightly different acc create packet.
And thats why you should doublecheck all packets serverside. Like the guy above me said.
Re: Security flaws in MS - Coke - 20-01-2008
If you send a 9 byte sep char end char thingie the server goes nuts. Don't ask me why, but it does =P
Re: Security flaws in MS - Matt2 - 20-01-2008
I like how I'm a target.
And how Joost is a royal prick.
At any rate, I don't care. It's not like any of you play PDoA.
Problem solved.
Re: Security flaws in MS - Joost - 20-01-2008
The tutorial wasn't bad. It was just a way of showing a security flaw without even downloading MS. Not your mistake. And my complaint was valid. You can act like a 13 yo, and turn away, or you can go do something usefull and increase your game's security.
Even though Im a prick, I'm right often. Go deal with it.
Re: Security flaws in MS - Coke - 20-01-2008
Joost Wrote:Even though Im a prick, I'm right often. Go deal with it.
Well, your half right :roll:
Re: Security flaws in MS - Matt2 - 22-01-2008
Quid?
I'm confused. Why am I still a target here?
Dude, grow a penis. And some balls.
You're seriously just acting like a big baby here.
Go point out flaws in the hundreds of other tuts that exist.
Honestly. You're annoying,
Re: Security flaws in MS - Joost - 22-01-2008
Matt Wrote:Quid?You made yourself a target by being a crying little fag.
I'm confused. Why am I still a target here?
Dude, grow a penis. And some balls.
You're seriously just acting like a big baby here.
Go point out flaws in the hundreds of other tuts that exist.
Honestly. You're annoying,
Point out flaws in other tutorials? There was no flaw in the fucking tutorial, you stupid moron. Ive told you that before, idiot. The security issues has NOTHING to do with your tutorial. Stop thinking like a fucking monkey. You're an inferiour being. Humans evolved thousands of years ago, so you should too.
Considering I didn't try to dodge the swear filter, I assume this post wont get deleted because of harsh language.
Re: Security flaws in MS - Robin - 22-01-2008
No, but the thread has gone far enough.