For the few people in the comments who are going nuts for me being on the "just launch quickly" hype train - I coded this on stream where the whole point was to test if cursor could even make the game. Launching it and adding a leaderboard was a for-fun feature, and we knew it had glaring vulnerabilities but launched anyways for the lolz. It's a meme game captcha site I made in a day using AI and forgot about - not an enterprise SaaS :P Chill and enjoy the vid

Be careful with serverless, make sure you have a low resource limit or someone can do a Denial of Wallet attack (basically DDoS, but your server auto scales to the load giving you huge bills)

the moment i saw you generated the text on the frontend, i didnt even need to keep watching, thats not getting hacked as much as entering an open door is a break in...

Hacking skills 10/10 Choice of victims -10/10

I love that this guy literally taught himself the complications with Catpchas and why they need to be secure lmfao (I assume he already knew and was just being a lazy agile dev, aka me).

I once managed to make a game website which a leaderbaord display a rickroll in full screen. All i did was write some html which puts itself on top of the page and includes the video element. I then put that as the username and as the input wasnt sanitized the browser rendered it as normal html.

you can also solve this by not using a database. and instead generate the captcha in a JWT token that includes the username, createdAt, and the game session i.e the generated captcha. with a encrypted text storing the answer (yes inside the JWT, double encryption baby. so that they can't just get the answer from the jwt token and spam the server). but now we need a way to confirm that the user isn't just spamming the same request ... hmmm maybe we need a database afterall to store the ID of that jwt token.

"Come see me build vulnerable sites in my live stream" 😂 Nothing personal just for fun.

4:16 what about function generating string, generating image from that, and preserving only hash of the string, later checking if hashed response matches hashed string? Like this is dumb base password encryption xd

Atleast you have 2 coffes now

Moral of the story never trust the client, you trust the client and you end up with bizarre stuff

When is the next episode of roasing dev portfolio is coming??

portfolio roasting when

why do i over complicate thinks i thought people used same captcha solve and get infinite points

Even if you generate the image on the backend and send the image to front end. Its still very easy to write an automation to solve the captcha

I'm not a developer so sorry if this is a stupid suggestion but how about two algorithms. One generates the image without storing the plaintext (making the characters out of bezier curves or some other convoluted method to display the characters that wouldn't give the answer in the frontend) and another that calculates the plaintext after an answer is submitted. In theory you shouldn't be able to easily derive the answer on the fronted with that right. I also get this was a for fun project and all that would be too much hassle but the concept has intrigued me

you could make that you only send a encrypted/hashed text between the client and the server, so the client needs to be a encrypt the text, first the client needs to encrypt the solution letter for letter and sends it to the drawing subsystem, so no where in the code is the full solution possible to read, than you could also use an JS obviscater to make it harder for hackers to debug whats going on inside the JS. Not the best but hey.

Laravel Generate Captcha from the Backend Normally

Hacking used to be easy (by modern standards) back when people were clueless, then it got harder as devs became more aware of all of the potential ways people can and will abuse their services. And now we're back to square one with these new devs that prioritize development speed, ease of use and all the other buzzwords and really love doing server side jobs on the client because it saves them money or whatever. I hate PHP just like the next person, but re-code this in PHP (or any other server side language) without using client side js and this fuck up is borderline impossible to do unless you're an absolute moron and somehow send the solution with the image. Sure, this is a simple game, but I've seen (and sometimes abused) similar scale fuckups on apps where you can get real life rewards. I'm not complaining, more free stuff and fun for me, but this was a solved problem already, now we're going backwards and re-inventing all the possible ways to fuck up but with extra buzzwords.

where do i play

This is so underrated, how do you only have 84k subs

Whats the url of the game?

just make a tiny svg?

What if you use salting and hashing to hide what the text equal to.

Your real mistake was using vercel.

1:52 no need, just make the backend have a temper-detection signature. Hmac would do it. And one way hash on both sides to make sure they are equal. No need for database.

😂 when the karen from the office says "why can't you just..." 22 hours and 6 ibprophen later 😂

I hate serverless devs, the only thing you do is: "ooh, new project, niceeee, deploooy", error because I don't do anything on the server side? What about just scrapping the project Buy a damn vps, and create things the right way

my man coded the most usless thing in the whole universe and called it " COOL THINGS "

The reason this happened was because you showed the code in the stream so people was able to abuse these vulnerabilitys and hack it am a professional hacker and your website is still very vulnerable get good lil bro

whats a seed

Make a leaderborad

Me as a new viewer: what tha hell is this?

But you can use image recognition with opencv and still hack it. but even then based on your explanation it is still pretty easy to hack

Cheat engine be like devs : i made a shitty game i hope nobody abuses the fact theres no anticheat Cheat enginge users OMG 99999999999999999999999999999999999999999999999999999999 score on a unity game omfg

Could you encrypt it?

store the game state server side

Welcome to web development. This is pretty basic stuff.

skill issue

Skill issue

Try jsdom

bro, you need sleep o_o

L coder frfr

Skill issue ngl. /s

K

Hi

Skill issue tbh

L coder

L coder, skill issue

This is just bad design, I don't even know anyone who would make such an app even as a sample.

CORS: 👀

So true, many companies have small little mini games that are easily hackable if you want to make a quick buck (pin me)

skill issue.