Tech nerds, please red team the shit out of my lil game

Worldly and otherworldly topics
User avatar
Mashy
Posts: 56
Joined: Mon Mar 01, 2021 8:33 am
Contact:

Tech nerds, please red team the shit out of my lil game

Post by Mashy » Sat Apr 10, 2021 10:56 am

I made a little choose your own adventure game on my website
(Go to https://www.karililt.com/ and click "don't click this")

To advance in the game you have to solve some riddles, but I think you can cheat by looking at "Inspect elements" and "View Source" in chrome??

I'm not smart enough to know anything about this, what's the furthest you can get in the game? Is there a way for smart tech people to cheat without solving the riddles?

(The game isn't finished)


User avatar
Mashy
Posts: 56
Joined: Mon Mar 01, 2021 8:33 am
Contact:

Re: Tech nerds, please red team the shit out of my lil game

Post by Mashy » Sun Apr 11, 2021 1:50 am

Haha thanks, that's what I wanted

Any way to hide it or no?

Edit: Does the sitemap exist just for SEO purposes? When I hide the page from search results, it seems to disappear from the sitemap?
Googling around it seems I can also change the name (url) of my sitemap to make it unguessable and then resubmit it to search engines? How do I go about doing that?

Edit2: I've hidden all the relevant pages from my sitemap, is there another way you can see/access them? Another tangent question just for my own curiosity, because these pages are hidden from google are they technically considered deepweb pages?

User avatar
Mashy
Posts: 56
Joined: Mon Mar 01, 2021 8:33 am
Contact:

Re: Tech nerds, please red team the shit out of my lil game

Post by Mashy » Sun Apr 11, 2021 2:40 am

I see you playing my game @Utisz

If you reach the talking jellyfish part, let me know

When I finish the game I want to offer 1 ETH (~$2000 USD) as a reward to anyone who can reach the end so it's important to me that people can't cheat

A lot of safeguards will be in place

User avatar
Utisz
Posts: 676
Joined: Fri Nov 22, 2019 4:35 am

Re: Tech nerds, please red team the shit out of my lil game

Post by Utisz » Sun Apr 11, 2021 2:59 am

Got to the yes-dream / jellyfish-conversation part, yep! Didn't see a way to continue in either branch.

Cool stuff! I think you've been cooking this up for a while? I remember you posted an earlier version in the old place?

Didn't really see a way to cheat. I mean I can find the links in a page, but you didn't seem to hide them. The sitemap seems to not have anything relevant to the game. Nothing in robots.txt.

So long as you don't rely on "hiding" links (which can be found easily enough in the source), I think it shouldn't be all that easy to cheat. (There might be a few things to make it a little harder though, like your pages do appear in Google, but you could tell it not to crawl the pages of the game.)

edit: for $2000, don't take my word on this. I can try a little harder to cheat and let you know. :)

User avatar
Mashy
Posts: 56
Joined: Mon Mar 01, 2021 8:33 am
Contact:

Re: Tech nerds, please red team the shit out of my lil game

Post by Mashy » Sun Apr 11, 2021 3:13 am

Awesome. There's a long thread past the jellyfish arc (I'm sure you'll figure it out which is what I don't want hahah so I'm trying to find ways to obscure the path without compromising it) and I'm working on the jellyfish conversation as we speak. So the jellyfish conversation page is currently blank but it'll be filled up soon

I'll let you know when the game is finished and you can have a proper go?

Another question is this:

Wix allows me to add this text field + this button. Is there someway I can do it so that the button is only activated when the correct pattern validation is in the field?

Image
Image


Utisz wrote:
Sun Apr 11, 2021 2:59 am
I can try a little harder to cheat and let you know.
Please do, it would be much appreciated!

User avatar
Utisz
Posts: 676
Joined: Fri Nov 22, 2019 4:35 am

Re: Tech nerds, please red team the shit out of my lil game

Post by Utisz » Sun Apr 11, 2021 3:30 am

Mashy wrote:
Sun Apr 11, 2021 3:13 am
Awesome. There's a long thread past the jellyfish arc (I'm sure you'll figure it out which is what I don't want hahah so I'm trying to find ways to obscure the path without compromising it) and I'm working on the jellyfish conversation as we speak. So the jellyfish conversation page is currently blank but it'll be filled up soon

I'll let you know when the game is finished and you can have a proper go?
Sure thing! Sounds good. :)
Mashy wrote:
Sun Apr 11, 2021 3:13 am
Another question is this:

Wix allows me to add this text field + this button. Is there someway I can do it so that the button is only activated when the correct pattern validation is in the field?

Image
Image
Probably not possible in the Wix interface (I'm not familiar with Wix), but it would be possible with some Javascript and CSS. And you can add Javascript to Wix pages.

The idea would be to hide the button, and then write a condition in Javascript to show it when the correct text is in the box.

There are two complications with this: the Javascript should not give the string, so it would have to compute a (secure) hash of it and compare that. The second is that you cannot really hide the button completely. The button would still be in the source code (or the Javascript), it would just not appear in the browser. There might be ways to "encrypt" the HTML code for the button or something, but it starts to get a bit messy. :) So it would be complicated to hide the button in a way that is not possible to cheat.
Please do, it would be much appreciated!
I tried a bit more and have not found a way to cheat beyond finding links automatically in a page. There's a couple of things I think could help make it more robust:
  • Add the pages to a directory, and prevent Google from crawling that directory.
  • Avoid URLs that have short names as they can be brute-forced (by which I mean one could script something to start with /a, /b, ..., /aa, /ab, ... /aaa, /aab). I guess around 8 characters should be fine. If someone tries to brute-force in this way though, it might be enough to DoS your website. This wouldn't be a way to get to the end, but it would mean your website become unresponsive, or goes offline, or you might even get a big bill from your host. On the other hand, maybe your host has DoS protections.

User avatar
Mashy
Posts: 56
Joined: Mon Mar 01, 2021 8:33 am
Contact:

Re: Tech nerds, please red team the shit out of my lil game

Post by Mashy » Sun Apr 11, 2021 4:08 am

Utisz wrote:
Sun Apr 11, 2021 3:30 am
There are two complications with this: the Javascript should not give the string, so it would have to compute a (secure) hash of it and compare that. The second is that you cannot really hide the button completely. The button would still be in the source code (or the Javascript), it would just not appear in the browser. There might be ways to "encrypt" the HTML code for the button or something, but it starts to get a bit messy. So it would be complicated to hide the button in a way that is not possible to cheat.
Ah hmm. That does sound complicated. Is there another way to do this then?

I thought of maybe a button to email a certain address the correct input, but that means I would have to manually approve it and direct them to the next page via the email... that's a possibility but it doesn't seem as fun to the user, I think
Add the pages to a directory, and prevent Google from crawling that directory.
Sorry to be a noob but how do I do that? On the wix interface I disabled the pages from showing up on search engines, does that mean google is still crawling them?
Avoid URLs that have short names as they can be brute-forced (by which I mean one could script something to start with /a, /b, ..., /aa, /ab, ... /aaa, /aab). I guess around 8 characters should be fine. If someone tries to brute-force in this way though, it might be enough to DoS your website. This wouldn't be a way to get to the end, but it would mean your website become unresponsive, or goes offline, or you might even get a big bill from your host. On the other hand, maybe your host has DoS protections.
That's a good idea. I'll make harder titles and maybe add in random letters. I googled around and it said wix has DoS protections.

User avatar
Mashy
Posts: 56
Joined: Mon Mar 01, 2021 8:33 am
Contact:

Re: Tech nerds, please red team the shit out of my lil game

Post by Mashy » Sun Apr 11, 2021 5:48 am

Settled on this which I'm quite content with.

It alerts me of the proper answer on the wix app & my email and then I can proceed with more riddles through email.

Image

User avatar
Utisz
Posts: 676
Joined: Fri Nov 22, 2019 4:35 am

Re: Tech nerds, please red team the shit out of my lil game

Post by Utisz » Sun Apr 11, 2021 6:42 am

Mashy wrote:
Sun Apr 11, 2021 4:08 am
Ah hmm. That does sound complicated. Is there another way to do this then?
You could just to the same thing you do for the rattlesnake puzzle. Instead of them putting the answer in the text box, they put it ... and then you show them what you want to show them when they get to the other side.

There are not many dynamics that are not exploitable, but that one seems pretty solid.
Sorry to be a noob but how do I do that? On the wix interface I disabled the pages from showing up on search engines, does that mean google is still crawling them?
There's a text file here that says what pages can appear on search engines, and which ones not. I think what you've done in wix just means that the pages do not appear in the sitemap (what avolkiteshvara linked to).

You could maybe edit that text file manually, to say something like:

Code: Select all

User-agent: *
Allow: /
Disallow: /game/*
Which would tell all search engines to ignore anything under https://www.karililt.com/game/, and then you could move all the pages there (not sure how you would do that with wix directly).

In retrospect, I think it's not super duper important, as the rattlesnake page creates a "gap". Google works by following links and you cannot get beyond that page with links. It's more something to make sure Google doesn't even try to index pages there (e.g., maybe at some stage someone links to a page beyond the rattesnake gap). But to be honest, even if Google is not indexing the pages, it is not difficult to map out all of the links you give on the website. The more general solution is to have plenty of gaps that you can't bridge by clicking a link.
That's a good idea. I'll make harder titles and maybe add in random letters. I googled around and it said wix has DoS protections.
DoS protection is good!

Thinking more about it, I think if I were to try to cheat based on what I've seen, I might try to brute-force finding pages using common words from an English dictionary. So if possible, you might want to try avoid pages that are just called after words, especially common words. Note that the 30007th most frequent word in English is lyricism, and doing one request per second (which would probably be considered okay by the DoS protections), all words that appear more common that "lyricism" to you could be brute forced in around 8 hours (maybe even less, depending on how strict the host is with how many pages can be requested per second, or if someone has control of machines in different locations). So if you have a puzzle you hope lasts longer than that, try to avoid naming the pages beyond it on a single English word.

Post Reply