Security Consequences of using Eval in a Simple Browser Game

Discussion in 'Javascript/Plugin Support' started by Tsukihime, Oct 21, 2015.

  1. Tsukihime

    Tsukihime Veteran Veteran

    Messages:
    8,230
    Likes Received:
    3,060
    Location:
    Toronto
    First Language:
    English
    Given that damage formulas and script calls have been brought over from previous RM's, they probably use eval to run them.


    If they don't, then that would be great, but some people might still want to use eval to, for example, take arbitrary javascript and run them.


    Previously, most games were run strictly offline on your own computer, so even if you sent malicious code, you couldn't do much.


    Now that we can deploy browser games hosted on remote servers, does eval become a real security problem?


    Update


    As some have pointed out, MV by default is designed to strictly be client-only.


    The only time when you would actually communicate with a server is when you need to download some resources. But other than that, you wouldn't be sending data to the server for it to process. In this environment, eval does not pose a security risk to the server because the server basically never touches any eval's.


    The client, on the other hand, may be exposed to an attack if someone else (other than the game developers) decides to execute code on their computer.
     
    Last edited by a moderator: Oct 22, 2015
    #1
    Artificer likes this.
  2. Hudell

    Hudell Dog Lord Veteran

    Messages:
    3,316
    Likes Received:
    2,931
    Location:
    Brazil
    First Language:
    Portuguese
    Primarily Uses:
    RMMV
    If you deploy browser games, people don't need eval to run code in your game, they can just open the browser console and type anything they want.
     
    #2
  3. Andar

    Andar Veteran Veteran

    Messages:
    28,318
    Likes Received:
    6,437
    Location:
    Germany
    First Language:
    German
    Primarily Uses:
    RMMV
    It depends on how the engine was implemented - the previous EVAL couldn't become a problem not only due to offline but also because the developer was the only person who could enter something into the damage formula - and if he wanted to enter malcode, it would have been easier to do that by script editor.


    So the question is: can the player enter something into eval from the playing area?


    If there is no way to enter anything into EVAL, then there is no problem.
     
    #3
    Engr. Adiktuzmiko likes this.
  4. Zalerinian

    Zalerinian Jack of all Errors Veteran

    Messages:
    4,695
    Likes Received:
    922
    Location:
    The Internet.
    First Language:
    English
    Primarily Uses:
    N/A
    The main problem with eval and security comes in where your game is connected to an online service. If it's just a plain, MV-only (meaning just the base scripts) game, then eval has very little security implications. It's still all tied down to the local user's browser. The trouble comes from when you have online systems tied in. As Hudell said, really you don't even need eval given that you can directly interact with the game via the dev console, but eval can be much more dangerous with the online systems. Users can find a way to send in malformed, or even maliciously formed data that gets fed through the servers, and causes problems.

    Of course, if you have a game that uses online systems, security is a big point for your to keep up with. Take a basic leaderboard system, for example. If, in the creator's infinite wisdom, the script sent the SQL command to the server itself, someone could very easily pass in a command to drop all the tables. Even if it just sent data to be placed inside of a prepared SQL query, if it wasn't properly escaped, it could do the same thing.
     
    #4
  5. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    So glad you came to the right place. many people here have interesting answers and amazing advice, heres mine. DONT USE IT got it? Good. Why Adam Why? Let professor Adam teach you :D

    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

    Specifically: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#Don't_use_eval_needlessly!

    But all you did was link me, I don't want to read EDUCATE ME!!!!!!!

    eval() can be used, as it states to execute Javscript code on the fly. This means that I can intercept the string or peice of code, hack your computer, get your IP, destroy your server or even wipe out your database, its the same reason we do not do user authentication in Javascript or send API keys over javascript. eval is dangerous.

    Considering Yanfly or Yami gives us console access, yes yes they can if you the developer doesn't take care to remove debug ability before releasing. Consider this my young javascript learner:

    I built a game. I am god. You open the console via the debug menu, give your self gold, weapons, armor - ya you broke the game. Access to the console on your machine via my game doesnt break the game for others. Now imagine you made an MMO, you host on the webs :DDDDDDD You're using eval to do some database stuff. I intercept, oops there goes your database, your games down.

    Welcome to eval. Dont...use...it....ever... Unless you've read the docs and you know what your doing. Eval is like playing with sulfic acid above your eye ball. yes there is a time and a place to use it, but no you should not be using it all willy nilly.
     
    #5
  6. Zalerinian

    Zalerinian Jack of all Errors Veteran

    Messages:
    4,695
    Likes Received:
    922
    Location:
    The Internet.
    First Language:
    English
    Primarily Uses:
    N/A
    I understand this was mostly an exaggeration, but even if this were to happen the developer console in the browser is a more powerful tool than eval, and can be used to do worse.

    While I do agree that eval should be avoided, I have myself used Function(str) to create a function from a string, in order to supplement the lack of procs in JS, as I used them n several scripts as configuration options. Since they're essentially eval calls that can be recalled, and with different arguments, what about the security implications of that?

    For example,

    Code:
    var str = "return 1;"var func = Function(str);function() // => 1
     
    #6
  7. Tsukihime

    Tsukihime Veteran Veteran

    Messages:
    8,230
    Likes Received:
    3,060
    Location:
    Toronto
    First Language:
    English
    So as long as my database methods are properly sanitized, I don't need to worry about someone using eval to attack me.


    Eval itself shouldn't be an issue here because people don't usually use eval to create query strings anyways (I don't know, I'm being optimistic here)


    It also seems like anything that's strictly client-based and does not get sent to the server are also safe from eval. You wouldn't be able to attack a server or database just because one of your armors is evaluating a formula that does not require any interaction with the server.
     
    Last edited by a moderator: Oct 21, 2015
    #7
  8. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    Yes and no. Javascript can connect directly (node) to a database. You have to be super careful. Through an API to a server, yes you are protected again, as long a syou know what your doing.

    Ahem: "The eval() method evaluates JavaScript code represented as a string." Node JS is javascript, Look at the danger I can do. Oh your an MMO? Ok great, so i intercepted the eval call and now the big bad is dead and every one gets 5x trillion gold and were all elitists and your scum. (I am using this an example no you are no scum

    Have you worked with API's? I have, I develop them. I use them. I send your data to server for my server to process. You could argue that on the server I should know what to do and you are right, but: Johny hacker Bot intercepts there goes your visa number and security code ... Now he's buying pron (yes I spelt pron) on your mommies via card ... 

    Ok: get me the armor of +500 str, also DDOS the server ..... btw ...... ya........

    None of this was suppose to come across douchey. its to teach you that eval in javascript can be intercepted, can bring down your sever, DB or anything else. Be VERY careful with eval()
     
    #8
  9. Dr.Yami

    Dr.Yami 。◕‿◕。 Developer

    Messages:
    994
    Likes Received:
    736
    Location:
    Finland
    First Language:
    Vietnamese
    Primarily Uses:
    Other
    Well if we don't touch anything with server-side, the eval is not that bad in security matter; however, it does matter in performance. If we only call some evals, it doesn't matter; but if we call evals in an update method, the resources (CPU, Memory) will be eaten horribly. Anyway, it's the best to avoid eval if we don't really need it. There are some alternative for eval in javascript:

    Code:
    obj[method].call(obj) ~ obj.method()
    Code:
    var newEval = new Function('return ' + evalText + ';'),    result = newEval();
     
    Last edited by a moderator: Oct 21, 2015
    #9
    Yanfly likes this.
  10. Hudell

    Hudell Dog Lord Veteran

    Messages:
    3,316
    Likes Received:
    2,931
    Location:
    Brazil
    First Language:
    Portuguese
    Primarily Uses:
    RMMV
    Well, the server should also know that it can't just accept a "deal 50000 damage" command. The server should only accept commands like: "Player clicked on the monster" and then it decides on it's own what that click would do.

    If the server is well designed, the only thing someone would be able to create would be a bot.

    Your example would cause the same issue, unless it is done outside the update method and only called from inside it.
     
    #10
  11. Dr.Yami

    Dr.Yami 。◕‿◕。 Developer

    Messages:
    994
    Likes Received:
    736
    Location:
    Finland
    First Language:
    Vietnamese
    Primarily Uses:
    Other
    The second alternative is mostly for performance, it does better if we store the new function and call it later. It will take some memory but wouldn't be much, and it can be freed after uses.
     
    #11
    Yanfly likes this.
  12. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    .call  Adds a lot of complexity that you don't need. Creating your own eval method is not recommended, especially if you don't understand eval  as a function already.

    For example, with .call

    var animals = [ { species: 'Lion', name: 'King' }, { species: 'Whale', name: 'Fail' }];for (var i = 0; i < animals.length; i++) { (function(i) { this.print = function() { console.log('#' + i + ' ' + this.species + ': ' + this.name); } this.print(); }).call(animals, i);}//Taken from https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/call#Using_call_to_invoke_an_anonymous_functionI cannot see a need for this inherit complexity when you are passing animals as the function argument for i. it doesnt add any benifit and just adds complexity where it isn't needed.

     

    Don't add complexity where its not clearly needed. Keep your code readable and clean

     

     

     

     

     

     

    No ... The server takes a set of params and evaluates based on those params what should happen. in this example this jazz would happen on the client side and end up updating the server at the end. The server is only responsible for fetching enemy health, player health - storing them in a state and updating the state. After the battle, win or loose you send that information to the server to find out ok you get X or you get game over.

     

     

     

    See above statement, welcome to API design and stateless design.

     

     

     

    Again, Sending info to the server would be something like: "fetch my characters current state" or "put my characters current state" its in the instance of putting the state that you can do damage, for example if you are leveling up you send to the server the "level up" information, the server then  (if designed properly) only accepts the fact that "you leveled up" and handles every thing else there.

     

    In other words, eval is never to be used. Key word: never. Javascript should update a state, set a state, get a state, send a state - all should be very carefully monitored and managed by the client application - Key word: state never edit the main variable or object, always edit a copy. This way if something is duped or malformed you can check the validity of the state and throw an error.

     

     

     

    This is why the concept of mutability plays into hand, it uses a bit more memory but also keeps the current state clean from the "edited" state, once validated and cleaned up the states are compared, the old is updated with the new and the UI updates. (See React JS)

     

    In this case using a bit more memory to do something like this is highly recommended.
     
    #12
  13. Yanfly

    Yanfly Developer

    Messages:
    1,696
    Likes Received:
    2,318
    RPG Maker MV games played on browsers (by default) are still client side. Eval won't become a security problem.

    If there's any consequence of eval, it'd be like what Yami said, it takes a toll on performance if used too much and unwisely.

     

    Console access is only given during test play. The console loaded by plugin doesn't appear after deployment or during non-test play. However, should you decide to put your game up on a browser, the console is easily accessed by simply pressing F12 on FireFox or Chrome.

    As for eval, it's one of the most useful tools out there, especially when near every RPG Maker game uses eval in one form or another or even both. And like I said, RPG Maker MV by default is client sided. Whatever you do with eval does not affect the server. The only harm in using eval needlessly is a hit on the game's performance.
     
    Last edited by a moderator: Oct 21, 2015
    #13
    Tsukihime and Harold Ållaberg like this.
  14. Tsukihime

    Tsukihime Veteran Veteran

    Messages:
    8,230
    Likes Received:
    3,060
    Location:
    Toronto
    First Language:
    English
    How do you propose to connect to my database on your end, using eval?

    I don't understand what you mean. NodeJS is javascript, yes. So are the rest of the scripts.


    How does that make my server vulnerable to attack because you can load up nodeJS in your browser?


    Please clarify.

    Not sure what you mean, or how that is relevant.


    Please clarify.

    That can be done without the dev using an eval call in their plugins.


    Doesn't make eval less secure.

     
    For strictly client-based games, I now understand why eval isn't that big of a deal since the amount of damage you could do is limited to yourself.


    However, I'm sure at some point we will start seeing games that run on client-server models, or perhaps p2p models, where eval may pose risks.
     
    Last edited by a moderator: Oct 21, 2015
    #14
    Harold Ållaberg likes this.
  15. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    Consider the following example: Javascript -> Json -> Your Applications API POST/PUT/DELETE method -> Process Data -> Send to Database

    Its in the process database you send back relevant errors. At this stage you process user "input" As stated before you would not send back every instance of user input, in the example of a battle, you would send back data that is collected via states.

    Specific libraries, mostly written in node, can connect directly to the database - if you don't know what your doing, well its easy to be hacked. Javascript is also not closed, that is unlike my example of an API, you can intercept and see exactly whats going on at all times.

    Care to show some example code where I DON'T need a console or eval to hack the system to get me elite status, in this case armour? maybe you could teach me a new trick I don't already know
     
    Last edited by a moderator: Oct 21, 2015
    #15
  16. Hudell

    Hudell Dog Lord Veteran

    Messages:
    3,316
    Likes Received:
    2,931
    Location:
    Brazil
    First Language:
    Portuguese
    Primarily Uses:
    RMMV
    I'm used to API / stateless design as I do it quite often at work, but those do not apply to game development. In an MMO, everything must be done on the server. The client should only handle input and output.
     
    #16
    Harold Ållaberg likes this.
  17. Tsukihime

    Tsukihime Veteran Veteran

    Messages:
    8,230
    Likes Received:
    3,060
    Location:
    Toronto
    First Language:
    English
    Ok let's say you sent some state information to the server.


    What would be some examples of what the server will be eval'ing that would become an exploit?


    Or an easier case, let's say you used a skill and the damage formula is being evaluated since that is how it's implemented.


    What information would the client be sending that would allow you to successfully attack the database?

    Yes, I agree, if you don't know what you're doing, it's easy to be hacked.
    I assumed your point about API was somehow related to the quote and was confused.

    If you're playing a browser game, you will likely have access to a console. If you want to assume that a console does not exist, well, that's not a realistic situation.
    DDOS'ing a server requires neither a console nor eval's in the engine.
     
    Last edited by a moderator: Oct 21, 2015
    #17
  18. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    Off topic. 

    Off topic. Players Health is a state, you update with  damage from a skill, damage is fetched from a server. The damage is validated, then applied. the state is updated, reflected in the UI and then the new health is then sent to a server (exploit?: catch the new health mid sending, update the health to be +500, server just stores health in database, character goes from 5  to 0 from skill damage to magical 500 ...)

    Obviously, but you should have some kind of state that cannot be manipulated via the console and is only updated by the application, validated and then sent to the server (for more validation of course)

    Again all of this is off topic, I am ending all conversation on api's, hacking or other wise. Please read the eval documentation and if you have questions related to that I will for sure help you :D
     
    #18
  19. Tsukihime

    Tsukihime Veteran Veteran

    Messages:
    8,230
    Likes Received:
    3,060
    Location:
    Toronto
    First Language:
    English
     
    So basically none of what you said in the last 2 posts has anything to do with eval?


    I was under the assumption that you were giving scenarios where eval's will lead to terrible things.
     
    Last edited by a moderator: Oct 21, 2015
    #19
  20. DarknessFalls

    DarknessFalls Rpg Maker Jesus - JS Dev. Veteran

    Messages:
    1,393
    Likes Received:
    209
    First Language:
    English
    It got derailed. Please read the docs and if you have any question id be more then happy to help. :D
     
    #20

Share This Page