#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    3
    Rep Power
    0

    Having my school quiz getting sabotaged


    Me and some friends are creating a quiz in java, it has gone really well actually. Altough, we are facing problems here and there.

    function updateScore() {
    score=0;
    for (var x = 1; x <= 5; x++) {
    if (l('quest1'+x)!=0) {score = score + 1;}
    else {score = score - 1;}
    }
    for (var x = 1; x <= 3; x++) {
    if(l('quest2'+x)!=0) {score = score + 1;}
    else{score = score - 1;}
    }
    if(l('quest3')!=0) {score++;}
    else{score--;}



    score = score + billingscore;
    if(l('postcode')!=0) {score++;}
    else{score--;}
    if(d('email') && l('email')!=0) {score++;}


    So for this one, it's three question that should match the actual answer. This will give a total of 3 points, if all are correct.
    The green lines & elements are where they should add their postcodes in the correct country match, pretty confusing tho :=-: If the codes are close to the match or even exact points are earned.

    These are the last lines which decides if the user has enough score.

    else if (score < 0) {
    condition='Poor'
    s('update').color='black'
    s('summaryf').border='1px solid black'
    }
    c
    }
    else if (score > 11.5) {
    condition='Good'
    s('update').color='cyan'
    s('summaryf').border='1px solid cyan'
    }

    People have somewhat managed to bypass my small security.
    Recently everyone has managed to max their points to 11.5 and they automatically "win our grand price".
    I believe they lure the system to say that their Answer, is the correct answer. So my system sees it like the correct actual answer. Thereby without them knowing the answer, they still manage to get the points per question(textbox).
    Hope you understand.

    This started as a school project but turnt more advanced & fun.

    Best regards,
    Martin
  2. #2
  3. Lord of the Dance
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2003
    Posts
    3,644
    Rep Power
    1945
    Originally Posted by martincodes
    Me and some friends are creating a quiz in java,
    Think you mean JavaScript?

    But first rule with JavaScript is that it cannot trusted.
    It is possible for the user to read, change or even omit/skip the JavaScript.

    If you have posted any answer in the JavaScript, then you have given them the answers yourself.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    3
    Rep Power
    0
    Originally Posted by MrFujin
    Think you mean JavaScript?

    But first rule with JavaScript is that it cannot trusted.
    It is possible for the user to read, change or even omit/skip the JavaScript.

    If you have posted any answer in the JavaScript, then you have given them the answers yourself.
    Yes Javascript, my bad!

    The answers are not in the javascript itself, they are in a diffrent php database.

    best regards,
    martin
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    the problem is that you don't understand how websites work -- like many people.

    How you've set up your pages or what JavaScript you wrote does not matter. It's completely irrelevant. It's a fancy façade for people to look at, nothing more.

    The question is what your server does and how it reacts to input. Does your server simply believe me if I tell it that I got so and so many points? Well, then I'm gonna tell your server that I have 10,000 points. I don't even need a browser for this. I simply go to the command line and send your server a message with this score. That's it, I just won your price.

    Again: The JavaScript code on your page does not bother me in any way. I won't even open the browser to visit your website. I simply send an HTTP request to your server, and then I'll get the price.

    The only way to prevent this is to check the answers and calculate the score on the server. When a user visits your website, you start a session, you create a session variable for the score, and then you wait for the answers to the question. For every correct answer you increment the score in the session. And at the end, you check the total score.

    This does not prevent cheating. People can simply repeat the test or share the correct answers. But a session at least forces your users to actually send answers rather than just making up their own score.

    So you need to remove all score stuff from the JavaScript and put it into the PHP script. In fact, you need no JavaScript at all. The only reason to use it would be to make the site prettier or more comfortable. You can't use JavaScript for anything important.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. CSS & JS/DOM Adept
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2004
    Location
    USA (verifiably)
    Posts
    20,127
    Rep Power
    4304
    As Jacques1 said, all critical calculations (as in results someone may want to fake) need to be performed on the server, even if you do them with JavaScript in the browser.

    Originally Posted by Jacques1
    You can't use JavaScript for anything important.
    Please try to avoid making sweeping statements like that which are so easily taken outside of the context of this discussion of a particular script.
    Spreading knowledge, one newbie at a time.

    Check out my blog. | Learn CSS. | PHP includes | X/HTML Validator | CSS validator | Common CSS Mistakes | Common JS Mistakes

    Remember people spend most of their time on other people's sites (so don't violate web design conventions).
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    3
    Rep Power
    0
    I am truly grateful for that answer jacques1, gave me a quick understanding of javascript.
    From what i see now, i was totally lost.

    The quiz was designed to teach me coding, and your words pretty much cleared so much for me.

    Thanks alot!

IMN logo majestic logo threadwatch logo seochat tools logo