Jump to content
  • entries
  • comments
  • views

1.2 ASOE Security Layer



ASOE (Asynchronous Online Engine) is a collection of scripts that allow you to create, host and play asynchronous multiplayer online games in RPGMaker VX Ace. ASOE is perfectly suited for turn based games, but it can enrich the gameplay of any VXA game by adding online features to it.


[!] Note: This is a technical article that is not required in order to use the script. Its a recommended read to anyone who wants to build on top of the existing code base.


Why Security is Important

When Efeberk - the original author of this online script - published it, he did not put too much emphasis on security. There was a help file included that contained some information about XSS (Cross-Site-Scripting) and thats it. He left the real work to the users of the script. We'll, I don't blame him for that - in fact im thankful that Efeberk wrote an online script for VX Ace at all! But, as this is open software, one of my first tasks was to increase the security of the script:


A living state Machine

​First of all, online games are not sealed environments like offline games - online games are living breathing state machines. This adds to the joy of playing (and creating) such a game but also opens the door for hackers and cheaters alike. You have to imagine that literally every client (player) could be a hostile attacker that tries to corrupt your games database. And besides database corruption there are also the threats of XSS (Cross-Site-Scripting) and spam/fake data packets.


The ASOE security layer

So there are a few basic countermeasures that are included in the core system of ASOE to prevent malicious attacks on the server. Most important is the wrapping of the PHP $_GET command in order to filter the received data. This should negate script level attacks like XSS. Every single piece of information that is transferred to the server is first filtered by a PHP function that looks like this:

function asoe_get($parameter) {     $parameter = $_GET[$parameter];     if (ASOE_MODE_SECURE) {   	  $parameter = mysql_real_escape_string($parameter);         $parameter = htmlspecialchars($parameter, ENT_IGNORE, 'utf-8');         $parameter = strip_tags($parameter);   	  $parameter = stripslashes($parameter);     }     return $parameter;}

Next, there was a code added to each and every piece of data sent from the client to the server and vice-versa. This code could be referred to a "checksum", although it works a bit differently than usual. This code is generated when the client logs in and is re-generated every time doing so. The code is a simple 3-4 digit number that is randomly generated by the server. This number is transferred to the client during the log-in process. Now, every time the client transfers data to the server, it adds this code as well. The server compares the code to its own - locally stored - code-number. Only if the codes match, the client data is processed. Otherwise the data is dumped and the current process is terminated.


Finally a sequence number was added to the code as well. This means that the code - once generated - is not static, it changes with every request sent or received. Both the server as well as the client keep comparing their code-numbers to the numbers in the data packets they receive. As only the client and the server know how the sequence number is computed, it should be impossible for an intruder to smuggle a fake packet to the server.


The combination of a code-number and a sequence number creates a secret morse-code only the client and the server know about. And as both numbers are unique for each client and are always changing, a potential attacker must put tons of effort into the system in order to hack it. As ASOE is used for games only, I think this security layer offers more than enough protection to keep online environments save.



Console output showing data packets as well as security code-number


Recommended Comments