Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'m developing a quiz with which you can win a few cool prizes. Therefore I\'m

ID: 656062 • Letter: I

Question

I'm developing a quiz with which you can win a few cool prizes. Therefore I'm afraid, that someone might try to hack/manipulate it.

All participants have to be logged in and the website takes 15 questions from the db, gives them to Javascript, which paint's the quiz then. When a user finishes all questions or answer one false, the quiz makes an Ajax call to the backend and insert the points in the db.

To decide what answer (there are always 4) is correct, the quiz must know which one is correct. This data is provided as Base64 encoded string and then decoded in Javascript.
Question 1: Is this secure? Are there better ways?

Always when the quiz is started, I save the quiz id in the database. When the final Ajax call is made, I check for that id, I check if the given answers are the one associated with the quiz (and the order of them), I check a token (there is one in the session and one in Javascript, both generated based on the quiz and some salt values, they are generated using md5, sha1 and substr in PHP)
Question 2: Is this secure? Are there better ways? Did I miss something?

Explanation / Answer

Your proposed mechanism is not secure.

Anything available to JavaScript is available to the person running the client browser. Base64 encoding only mildly obscures the answers. Even encrypting them using strong crypto like AES will not work because the JavaScript must have the key.

Would someone go the trouble of figuring out the Base64, or encryption? It depends on how cool those prizes are and is anyway security by obscurity.

You can deal with this in one of two ways. The simplest way is to send all the answers to the server at the end of the quiz and check them on the server with PHP. If you want to provide feedback for each question, you should make an Ajax call after each question is answered.

I can't really tell about your second question because there isn't enough detail. However, everything related to security must be done on the server. You can pass an opaque session ID back and forth between server and client, but you can't do anything on the client that forms a basis for the security of the system.

Finally, I worry about "some salt values." Rolling your own crypto is not safe unless you have a Ph.D. in mathematics and ten or more years' experience with cryptography.

Related Questions

I\'m currently taking an Algorithms course, and we are covering Backtracking, CS
Question #657208
I\'m currently taking ochem part 2. I need to perform an acid-base extraction to
Question #228519
I\'m currently taking ochem part 2. I need to perform an acid-base extraction to
Question #228874
I\'m currently tasked with doing some C++/CUDA development on a remote Linux mac
Question #657776
I\'m currently thinking about an interface to a class I\'m writing. This class c
Question #653071
I\'m currently trying to cover our shopping cart with unit tests. Class Shopping
Question #644198
I\'m currently trying to figure out why I\'m getting an error message. When I ru
Question #3758767
I\'m currently trying to find my way into the geometric description of Quantum M
Question #1380420
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I\'m developing a new application and I\'m trying to come up with a convention f
Next
I\'m developing a set of simple widgets for a small (128x128) display. For examp

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.