Skip to content

Instantly share code, notes, and snippets.

View zmunro's full-sized avatar

Zachary Munro zmunro

View GitHub Profile

Bypassing a Browser Game's Client-Side Security

Not long ago, I used to play a real-time multiplayer browser game called TagPro. The architecture is fairly standard for real-time multiplayer games. The browser opens a websocket connection to a server and user input is sent over the open connection. The server runs all the game logic and sends the game state to each browser several times a second.

Client-Side Security

There are two separate versions of the JavaScript bundle that powers the TagPro client: a competitive version with client-side security and a casual version without. A toggle in private games enables the competitive version. The JavaScript for TagPro's competitive scene has a few security measures in place to prevent third-party script execution. The first security measure is not exposing the game object globally by wrapping the game.js bundle in a self-executing function:

(function init() {
  // game.js
  var tagpro = {
 ...
@mchow01
mchow01 / cyber_security_skills_shortage.md
Last active February 20, 2024 06:17
How long we have been playing this "cyber security skills shortage" game for?