A friend of mine just sent me the URL to a flash game (for obvious reasons I will not share the link) which is part of a number of games with a price of 10.000 EUR in the end. One would believe that a game with such a price money is secure. Especially when the organising party is an internet provider.
But guess what… At the end of the flash game you can optionally submit your score to the highscore server, which results in a POST to the file submithigh.php with several parameters, one parameter saying score=XXXX. And of course you can submit whatever score you want. So now I lead the highscore with 10000 of about 900 possible points. I set it that high to ensure that the guys at the ISP will realize that this is faked, but imagine I had just increased the current highscore by 10. I seriously doubt anyone would have noticed and I would have won the competition without even decompiling the flash.
[ Original Post From php-security.org ]
======
Even simple mistakes can cause a lot of trouble.
Think if all the top scores on every game game were hacked to show obscene comments!
It’s best to try and think like a hacker when creating public content 
Categories
Tag Cloud
Blog RSS
Comments RSS
Void « Default
Life 
Earth 
Wind 
Water 
Fire Light
Previous 
Next 
Last 50 Posts
Back