C2 Ajax request encrypt values

No there is no library of keys.

You build it on the fly as you generate keys.

No he can't. The same API key will not work for different score value.

You are assuming you know the value of the score ahead of time.

Guess the algorithm? That's close to impossible.

Hardly, there is an entire avenue of science dedicated to exactly this. It is called cryptanalysis. I have dabbled in it, but I am not an expert in this field, sadly. But when your algorithm is as simple as SHA256(score + salt), it is very easy to guess.

We can make a test for fun if you want. I can make a simple service with API secured with API key and you may take your time to "crack it" (send false data). I'll provide you the JS code so you could try to figure out the algorithm. It will be possible (obviously) as the answer will be in the JS code, I'm just curious how long would it takefor a developer to "break it".

I actually do want to do this. It would be instructive for both of us. Let me know when your API is active. You're not allowed to have any server-side checks though, since that is what the OP was about. This needs to be a pure JS solution. You don't need to provide me with any code, just send me the URLs/API. I want you to minify it too, just for fun. :-p

We can even keep the discussion and results in this thread.

You build it on the fly as you generate keys.

Uhm... no you don't. There is simply an API key generated on the fly for this specific call. How can a one API key with a lifetime of milliseconds be called a library?

You are assuming you know the value of the score ahead of time.

No you don't. I'm not sure what you meant here exactly but there are no assumptions.

And when your algorithm is as simple as SHA256(score + salt), it is very easy to guess.

In such a trivial example it might be, but the point is to make it more complex.

You're not allowed to have any server-side checks though, since that is what the OP was about. This needs to be a pure JS solution.

Uhm.. what? The point with API key is to validate it on the server side. The OP even provided a sample of PHP script. So it is all about to make a server check and authorise the request or not.

You don't need to provide me with any code, just send me the URLs/API. I want you to minify it too, just for fun. :-p

What you want me to minify if you don't want any code? If I'll provide you just a sample URL and and API URL, you will depend purely on luck. The point is to crack it, not to guess it as I am sure you will not guess it.

So the test would be as following:

• I will prepare a minified JS code which will make an AJAX call to my server API. This call will make some action on the server - let's say - create an account. So there will be an email and password send over from JS to the server secured in my way without using SSL.
• Your goal will be to send another request to the server to create new user. So you will have to figure out my security (algorithm) trick and based on it create a request which will cheat my server and allow you to create a new account.

So the overall test would show how much a non SSL request, covered with hashing tricks is secure. I will send you an HTML5 app which sends the request (like if you had my game locally) and the rest you have to deal yourself. Is that ok for you?

BTW: It might be easier to talk on Discord or Skype, so PM me after you read it

BTW: It might be easier to talk on Discord or Skype, so PM me after you read it

Yea, let's discuss on PM, then post a project definition, then we can post results, etc.