Authentic flash form submission

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentic flash form submission

theRemix
What is the best way to accept form submissions on your server.

I have a game that will be embedded on many sites.

The server will be my own, PHP+mysql

I want players to be able to submit their name and high score to my server for tracking.

I want to ensure that the form submission comes from my game and not a crafted form, to prevent cheating or any other abuse.

any recommendations?

-+> theRemix


--
haXe - an open source web programming language
http://haxe.org

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

John A. De Goes

People can always reverse engineer your SWF or monitor HTTP traffic in order to find out how you send the data.

In short, there's no way to send name + score to your server directly and securely.

There are complicated heuristics you can use to solve the problem, but a much simpler solution is checking the IP address (for uniqueness) and setting a cookie (as a secondary check). Can users work around the technique? Yes. Will they? Not unless your game is wildly popular, which is OK because if your game is wildly popular, you can retire and not worry about cheaters. :-)

Regards,

John 

On Aug 4, 2010, at 3:28 PM, theRemix wrote:

What is the best way to accept form submissions on your server.

I have a game that will be embedded on many sites.

The server will be my own, PHP+mysql

I want players to be able to submit their name and high score to my server for tracking.

I want to ensure that the form submission comes from my game and not a crafted form, to prevent cheating or any other abuse.

any recommendations?

-+> theRemix

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

theRemix
ok. if i accept this as fact (there is no way to securely submit a form from a swf)

then the next best thing is to log every submissions ip address, and i can manually detect fraudulent form submissions.

i do not think people would want to craft their own form to get high scores. i am more concerned about tracking real humans who beat the game no matter what their score was, as there are real world consequences to playing and winning.

i would also like to protect my server from getting slammed with massive fake POSTs too.

are there any more suggestions for preventing fraudulent form submissions?

-+> theRemix

On Aug 4, 2010, at 11:52 AM, John A. De Goes wrote:


People can always reverse engineer your SWF or monitor HTTP traffic in order to find out how you send the data.

In short, there's no way to send name + score to your server directly and securely.

There are complicated heuristics you can use to solve the problem, but a much simpler solution is checking the IP address (for uniqueness) and setting a cookie (as a secondary check). Can users work around the technique? Yes. Will they? Not unless your game is wildly popular, which is OK because if your game is wildly popular, you can retire and not worry about cheaters. :-)

Regards,

John 

On Aug 4, 2010, at 3:28 PM, theRemix wrote:

What is the best way to accept form submissions on your server.

I have a game that will be embedded on many sites.

The server will be my own, PHP+mysql

I want players to be able to submit their name and high score to my server for tracking.

I want to ensure that the form submission comes from my game and not a crafted form, to prevent cheating or any other abuse.

any recommendations?

-+> theRemix

--
haXe - an open source web programming language
http://haxe.org

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

Cauê W.
hey,

for protection from fake POSTs, I'd have the own game to send state data when you are playing, so you can see if there is something 'inhuman' about them, and also see if it matches the amount of points given.

2010/8/4 theRemix <[hidden email]>
ok. if i accept this as fact (there is no way to securely submit a form from a swf)

then the next best thing is to log every submissions ip address, and i can manually detect fraudulent form submissions.

i do not think people would want to craft their own form to get high scores. i am more concerned about tracking real humans who beat the game no matter what their score was, as there are real world consequences to playing and winning.

i would also like to protect my server from getting slammed with massive fake POSTs too.

are there any more suggestions for preventing fraudulent form submissions?

-+> theRemix

On Aug 4, 2010, at 11:52 AM, John A. De Goes wrote:


People can always reverse engineer your SWF or monitor HTTP traffic in order to find out how you send the data.

In short, there's no way to send name + score to your server directly and securely.

There are complicated heuristics you can use to solve the problem, but a much simpler solution is checking the IP address (for uniqueness) and setting a cookie (as a secondary check). Can users work around the technique? Yes. Will they? Not unless your game is wildly popular, which is OK because if your game is wildly popular, you can retire and not worry about cheaters. :-)

Regards,

John 

On Aug 4, 2010, at 3:28 PM, theRemix wrote:

What is the best way to accept form submissions on your server.

I have a game that will be embedded on many sites.

The server will be my own, PHP+mysql

I want players to be able to submit their name and high score to my server for tracking.

I want to ensure that the form submission comes from my game and not a crafted form, to prevent cheating or any other abuse.

any recommendations?

-+> theRemix

--
haXe - an open source web programming language
http://haxe.org

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

theRemix
that makes sense, like gathering game analytics.

i think normally, you would track certain metrics, and then send all data at the end.

for your idea to work, i would have to send metrics periodically instead of once at the end. because the same problem would exist, someone could craft fake metrics and send all that data over many times.

i'll look into implementing this.
[ip address, session id, time elapsed]
[ip address, session id, scoring milestone]
... etc.


-+> theRemix

On Aug 4, 2010, at 12:46 PM, Cauê Waneck wrote:

hey,

for protection from fake POSTs, I'd have the own game to send state data when you are playing, so you can see if there is something 'inhuman' about them, and also see if it matches the amount of points given.

2010/8/4 theRemix <[hidden email]>
ok. if i accept this as fact (there is no way to securely submit a form from a swf)

then the next best thing is to log every submissions ip address, and i can manually detect fraudulent form submissions.

i do not think people would want to craft their own form to get high scores. i am more concerned about tracking real humans who beat the game no matter what their score was, as there are real world consequences to playing and winning.

i would also like to protect my server from getting slammed with massive fake POSTs too.

are there any more suggestions for preventing fraudulent form submissions?

-+> theRemix

On Aug 4, 2010, at 11:52 AM, John A. De Goes wrote:


People can always reverse engineer your SWF or monitor HTTP traffic in order to find out how you send the data.

In short, there's no way to send name + score to your server directly and securely.

There are complicated heuristics you can use to solve the problem, but a much simpler solution is checking the IP address (for uniqueness) and setting a cookie (as a secondary check). Can users work around the technique? Yes. Will they? Not unless your game is wildly popular, which is OK because if your game is wildly popular, you can retire and not worry about cheaters. :-)

Regards,

John 

On Aug 4, 2010, at 3:28 PM, theRemix wrote:

What is the best way to accept form submissions on your server.

I have a game that will be embedded on many sites.

The server will be my own, PHP+mysql

I want players to be able to submit their name and high score to my server for tracking.

I want to ensure that the form submission comes from my game and not a crafted form, to prevent cheating or any other abuse.

any recommendations?

-+> theRemix

--
haXe - an open source web programming language
http://haxe.org

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

Cauê W.
yes!
I don't know how your game works, but the more data you can spot for 'inhuman' acts, like moving too fast (or too slow), or achieving more points than it can in the time-space, the better.

2010/8/4 theRemix <[hidden email]>
that makes sense, like gathering game analytics.

i think normally, you would track certain metrics, and then send all data at the end.

for your idea to work, i would have to send metrics periodically instead of once at the end. because the same problem would exist, someone could craft fake metrics and send all that data over many times.

i'll look into implementing this.
[ip address, session id, time elapsed]
[ip address, session id, scoring milestone]
... etc.


-+> theRemix

On Aug 4, 2010, at 12:46 PM, Cauê Waneck wrote:

hey,

for protection from fake POSTs, I'd have the own game to send state data when you are playing, so you can see if there is something 'inhuman' about them, and also see if it matches the amount of points given.

2010/8/4 theRemix <[hidden email]>
ok. if i accept this as fact (there is no way to securely submit a form from a swf)

then the next best thing is to log every submissions ip address, and i can manually detect fraudulent form submissions.

i do not think people would want to craft their own form to get high scores. i am more concerned about tracking real humans who beat the game no matter what their score was, as there are real world consequences to playing and winning.

i would also like to protect my server from getting slammed with massive fake POSTs too.

are there any more suggestions for preventing fraudulent form submissions?

-+> theRemix

On Aug 4, 2010, at 11:52 AM, John A. De Goes wrote:


People can always reverse engineer your SWF or monitor HTTP traffic in order to find out how you send the data.

In short, there's no way to send name + score to your server directly and securely.

There are complicated heuristics you can use to solve the problem, but a much simpler solution is checking the IP address (for uniqueness) and setting a cookie (as a secondary check). Can users work around the technique? Yes. Will they? Not unless your game is wildly popular, which is OK because if your game is wildly popular, you can retire and not worry about cheaters. :-)

Regards,

John 

On Aug 4, 2010, at 3:28 PM, theRemix wrote:

What is the best way to accept form submissions on your server.

I have a game that will be embedded on many sites.

The server will be my own, PHP+mysql

I want players to be able to submit their name and high score to my server for tracking.

I want to ensure that the form submission comes from my game and not a crafted form, to prevent cheating or any other abuse.

any recommendations?

-+> theRemix

--
haXe - an open source web programming language
http://haxe.org

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

Matthew Spencer-2
Depending on how far you want to go with it, you could even go with a replay based validation method. Store a seed at the beginning of your game, and then transmit any human interaction with the game. After the game is finished, if the score is above a certain threshold you can have the server replay the game using the same seed along with the user's input. If everything doesn't match perfectly, the user cheated.

It's probly overkill unless you wanted to implement a replay system as well.


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

theRemix
I like where your head's at Matthew.

i don't need a replay system, i agree it's overkill. great solution though.

it's really easier to play the game than to cheat. what i want to protect against is for it to be so easily hackable that script kiddies would abuse it.

i'm storing these score submissions because i've created a unique 'leaderboard' of my own. where i display a game avatar with the users first name, last initial, and how long it took for them to win the game. they are all displayed on one page, i don't want thousands of fake submissions overloading my server and the browser.

thanks again for your input.

-+> theRemix

On Aug 4, 2010, at 2:01 PM, Matthew Spencer wrote:

> Depending on how far you want to go with it, you could even go with a replay based validation method. Store a seed at the beginning of your game, and then transmit any human interaction with the game. After the game is finished, if the score is above a certain threshold you can have the server replay the game using the same seed along with the user's input. If everything doesn't match perfectly, the user cheated.
>
> It's probly overkill unless you wanted to implement a replay system as well.
>
> --
> haXe - an open source web programming language
> http://haxe.org


--
haXe - an open source web programming language
http://haxe.org

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

Cauê W.
watch out for the cheat engine, it works on flash games. ; )

2010/8/4 theRemix <[hidden email]>
I like where your head's at Matthew.

i don't need a replay system, i agree it's overkill. great solution though.

it's really easier to play the game than to cheat. what i want to protect against is for it to be so easily hackable that script kiddies would abuse it.

i'm storing these score submissions because i've created a unique 'leaderboard' of my own. where i display a game avatar with the users first name, last initial, and how long it took for them to win the game. they are all displayed on one page, i don't want thousands of fake submissions overloading my server and the browser.

thanks again for your input.

-+> theRemix

On Aug 4, 2010, at 2:01 PM, Matthew Spencer wrote:

> Depending on how far you want to go with it, you could even go with a replay based validation method. Store a seed at the beginning of your game, and then transmit any human interaction with the game. After the game is finished, if the score is above a certain threshold you can have the server replay the game using the same seed along with the user's input. If everything doesn't match perfectly, the user cheated.
>
> It's probly overkill unless you wanted to implement a replay system as well.
>
> --
> haXe - an open source web programming language
> http://haxe.org


--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

Lyndon Howie
In reply to this post by theRemix
If you're mainly concerned about replay attacks (people capturing the http request of a finished game and sending it over and over), or modified http requests (people capturing a request and then modifying the score etc. to send it up), and you're not that worried about people actually reverse-engineering your flash client, then you can do something fairly simple like hashing your results together with a timestamp (and uploading the timestamp with the results) and then verifying this on the server. To prevent replay you record the timestamp in your DB and only allow result submissions with a newer timestamp. For accuracy you should have the server send them the timestamp when they start a game (otherwise they could run into issues playing the game from different client machines). This would stop replay and data changing attacks as long as they don't know the hashing algorithm. Someone will figure it out eventually if it's worth their while, but it should
 stop the average script kiddy.
Cheers,
Lyndon

--- On Thu, 5/8/10, theRemix <[hidden email]> wrote:

> From: theRemix <[hidden email]>
> Subject: Re: [haXe] Authentic flash form submission
> To: "The haXe compiler list" <[hidden email]>
> Received: Thursday, 5 August, 2010, 11:06 AM
> I like where your head's at Matthew.
>
> i don't need a replay system, i agree it's overkill. great
> solution though.
>
> it's really easier to play the game than to cheat. what i
> want to protect against is for it to be so easily hackable
> that script kiddies would abuse it.
>
> i'm storing these score submissions because i've created a
> unique 'leaderboard' of my own. where i display a game
> avatar with the users first name, last initial, and how long
> it took for them to win the game. they are all displayed on
> one page, i don't want thousands of fake submissions
> overloading my server and the browser.
>
> thanks again for your input.
>
> -+> theRemix
>
> On Aug 4, 2010, at 2:01 PM, Matthew Spencer wrote:
>
> > Depending on how far you want to go with it, you could
> even go with a replay based validation method. Store a seed
> at the beginning of your game, and then transmit any human
> interaction with the game. After the game is finished, if
> the score is above a certain threshold you can have the
> server replay the game using the same seed along with the
> user's input. If everything doesn't match perfectly, the
> user cheated.
> >
> > It's probly overkill unless you wanted to implement a
> replay system as well.
> >
> > --
> > haXe - an open source web programming language
> > http://haxe.org
>
>
> -----Inline Attachment Follows-----
>
> --
> haXe - an open source web programming language
> http://haxe.org




--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

theRemix
Thanks Lyndon!

Sounds like a great solution that will work for my situation. I'll implement this for my game.

much appreciated!

-+> theRemix

On Aug 4, 2010, at 3:40 PM, Lyndon Howie wrote:

> If you're mainly concerned about replay attacks (people capturing the http request of a finished game and sending it over and over), or modified http requests (people capturing a request and then modifying the score etc. to send it up), and you're not that worried about people actually reverse-engineering your flash client, then you can do something fairly simple like hashing your results together with a timestamp (and uploading the timestamp with the results) and then verifying this on the server. To prevent replay you record the timestamp in your DB and only allow result submissions with a newer timestamp. For accuracy you should have the server send them the timestamp when they start a game (otherwise they could run into issues playing the game from different client machines). This would stop replay and data changing attacks as long as they don't know the hashing algorithm. Someone will figure it out eventually if it's worth their while, but it should
> stop the average script kiddy.
> Cheers,
> Lyndon
>
> --- On Thu, 5/8/10, theRemix <[hidden email]> wrote:
>
>> From: theRemix <[hidden email]>
>> Subject: Re: [haXe] Authentic flash form submission
>> To: "The haXe compiler list" <[hidden email]>
>> Received: Thursday, 5 August, 2010, 11:06 AM
>> I like where your head's at Matthew.
>>
>> i don't need a replay system, i agree it's overkill. great
>> solution though.
>>
>> it's really easier to play the game than to cheat. what i
>> want to protect against is for it to be so easily hackable
>> that script kiddies would abuse it.
>>
>> i'm storing these score submissions because i've created a
>> unique 'leaderboard' of my own. where i display a game
>> avatar with the users first name, last initial, and how long
>> it took for them to win the game. they are all displayed on
>> one page, i don't want thousands of fake submissions
>> overloading my server and the browser.
>>
>> thanks again for your input.
>>
>> -+> theRemix
>>
>> On Aug 4, 2010, at 2:01 PM, Matthew Spencer wrote:
>>
>>> Depending on how far you want to go with it, you could
>> even go with a replay based validation method. Store a seed
>> at the beginning of your game, and then transmit any human
>> interaction with the game. After the game is finished, if
>> the score is above a certain threshold you can have the
>> server replay the game using the same seed along with the
>> user's input. If everything doesn't match perfectly, the
>> user cheated.
>>>
>>> It's probly overkill unless you wanted to implement a
>> replay system as well.
>>>
>>> --
>>> haXe - an open source web programming language
>>> http://haxe.org
>>
>>
>> -----Inline Attachment Follows-----
>>
>> --
>> haXe - an open source web programming language
>> http://haxe.org
>
>
>
>
> --
> haXe - an open source web programming language
> http://haxe.org

--
haXe - an open source web programming language
http://haxe.org

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

Heinz Hölzer-2
In reply to this post by Lyndon Howie
Am 05.08.2010 03:40, schrieb Lyndon Howie:
If you're mainly concerned about replay attacks (people capturing the http request of a finished game and sending it over and over), or modified http requests (people capturing a request and then modifying the score etc. to send it up), and you're not that worried about people actually reverse-engineering your flash client, then you can do something fairly simple like hashing your results together with a timestamp (and uploading the timestamp with the results) and then verifying this on the server. To prevent replay you record the timestamp in your DB and only allow result submissions with a newer timestamp. For accuracy you should have the server send them the timestamp when they start a game (otherwise they could run into issues playing the game from different client machines). This would stop replay and data changing attacks as long as they don't know the hashing algorithm. Someone will figure it out eventually if it's worth their while, but it should
 stop the average script kiddy.
Cheers,
Lyndon

--- On Thu, 5/8/10, theRemix [hidden email] wrote:

  
From: theRemix [hidden email]
Subject: Re: [haXe] Authentic flash form submission
To: "The haXe compiler list" [hidden email]
Received: Thursday, 5 August, 2010, 11:06 AM
I like where your head's at Matthew.

i don't need a replay system, i agree it's overkill. great
solution though.

it's really easier to play the game than to cheat. what i
want to protect against is for it to be so easily hackable
that script kiddies would abuse it.

i'm storing these score submissions because i've created a
unique 'leaderboard' of my own. where i display a game
avatar with the users first name, last initial, and how long
it took for them to win the game. they are all displayed on
one page, i don't want thousands of fake submissions
overloading my server and the browser.

thanks again for your input.

-+> theRemix

On Aug 4, 2010, at 2:01 PM, Matthew Spencer wrote:

    
Depending on how far you want to go with it, you could
      
even go with a replay based validation method. Store a seed
at the beginning of your game, and then transmit any human
interaction with the game. After the game is finished, if
the score is above a certain threshold you can have the
server replay the game using the same seed along with the
user's input. If everything doesn't match perfectly, the
user cheated.
    
It's probly overkill unless you wanted to implement a
      
replay system as well.
    
-- 
haXe - an open source web programming language
http://haxe.org
      

-----Inline Attachment Follows-----

-- 
haXe - an open source web programming language
http://haxe.org
    

      

  

sounds like a good technique, you can also encode the timestamp on the server side in some way so the client just gets a crypted string from the server.

--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

theRemix
Yes thanks Heinz, i plan on doing this as well

you guys are awesome!

-+> theRemix

On Aug 5, 2010, at 10:25 AM, Heinz Hölzer wrote:

Am 05.08.2010 03:40, schrieb Lyndon Howie:
If you're mainly concerned about replay attacks (people capturing the http request of a finished game and sending it over and over), or modified http requests (people capturing a request and then modifying the score etc. to send it up), and you're not that worried about people actually reverse-engineering your flash client, then you can do something fairly simple like hashing your results together with a timestamp (and uploading the timestamp with the results) and then verifying this on the server. To prevent replay you record the timestamp in your DB and only allow result submissions with a newer timestamp. For accuracy you should have the server send them the timestamp when they start a game (otherwise they could run into issues playing the game from different client machines). This would stop replay and data changing attacks as long as they don't know the hashing algorithm. Someone will figure it out eventually if it's worth their while, but it should
 stop the average script kiddy.
Cheers,
Lyndon

--- On Thu, 5/8/10, theRemix [hidden email] wrote:

  
From: theRemix [hidden email]
Subject: Re: [haXe] Authentic flash form submission
To: "The haXe compiler list" [hidden email]
Received: Thursday, 5 August, 2010, 11:06 AM
I like where your head's at Matthew.

i don't need a replay system, i agree it's overkill. great
solution though.

it's really easier to play the game than to cheat. what i
want to protect against is for it to be so easily hackable
that script kiddies would abuse it.

i'm storing these score submissions because i've created a
unique 'leaderboard' of my own. where i display a game
avatar with the users first name, last initial, and how long
it took for them to win the game. they are all displayed on
one page, i don't want thousands of fake submissions
overloading my server and the browser.

thanks again for your input.

-+> theRemix

On Aug 4, 2010, at 2:01 PM, Matthew Spencer wrote:

    
Depending on how far you want to go with it, you could
      
even go with a replay based validation method. Store a seed
at the beginning of your game, and then transmit any human
interaction with the game. After the game is finished, if
the score is above a certain threshold you can have the
server replay the game using the same seed along with the
user's input. If everything doesn't match perfectly, the
user cheated.
    
It's probly overkill unless you wanted to implement a
      
replay system as well.
    
-- 
haXe - an open source web programming language
http://haxe.org
      
-----Inline Attachment Follows-----

-- 
haXe - an open source web programming language
http://haxe.org
    
      

  

sounds like a good technique, you can also encode the timestamp on the server side in some way so the client just gets a crypted string from the server.
--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

Yanis Benson
In reply to this post by theRemix
On 08/05/2010 01:28 AM, theRemix wrote:
What is the best way to accept form submissions on your server.

I have a game that will be embedded on many sites.

The server will be my own, PHP+mysql

I want players to be able to submit their name and high score to my server for tracking.

I want to ensure that the form submission comes from my game and not a crafted form, to prevent cheating or any other abuse.

any recommendations?

-+> theRemix

1. Send a hash of <result>+<some value> with the result.
2. Push some numbers(crafted), then convert this numbers to string, then use the string to push a value you want into <some value> by Reflect.
3. Put the part 2 in depth of the game code, but be sure it will be runned once before submission.

This should stop most script-kiddies(because there is no easy way to know your <some value> in runtime, no easy way to know it from your POSTs, and it's not so evident where and how the value is generated).



--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Authentic flash form submission

Ron Wheeler
On 06/08/2010 3:02 AM, Yanis Benson wrote:
On 08/05/2010 01:28 AM, theRemix wrote:
What is the best way to accept form submissions on your server.

I have a game that will be embedded on many sites.

The server will be my own, PHP+mysql

I want players to be able to submit their name and high score to my server for tracking.

I want to ensure that the form submission comes from my game and not a crafted form, to prevent cheating or any other abuse.

any recommendations?

-+> theRemix

1. Send a hash of <result>+<some value> with the result.
2. Push some numbers(crafted), then convert this numbers to string, then use the string to push a value you want into <some value> by Reflect.
3. Put the part 2 in depth of the game code, but be sure it will be runned once before submission.

This should stop most script-kiddies(because there is no easy way to know your <some value> in runtime, no easy way to know it from your POSTs, and it's not so evident where and how the value is generated).


If cheating is highly rewarded, you can report progress through the game so that the high score can be verified as being the result of steady progress over a reasonable period of time.
You can generate a unique session id for interim reporting if you do not want to ask the player for name, etc until he/she has reached the end.
You can report game details - points, hits, kills, etc. at either timed intervals or between phases of the game.
You can check to verify that these are reasonable given the time the player has played.
The more details that you report, the more difficult it will be for the person trying to fake a high score to know how to do it.
If you calculate the score on the server side, it will be much harder to reverse engineer your scoring system. The person dissembling your client code will only know what is being reported so he/she will not know how the score is made nor will they know how you are validating a "reasonable" combination of time and activity to reject fake game results

Ron

--
haXe - an open source web programming language
http://haxe.org