How an Improper WebSocket Setup Can Lead to Client-Side Manipulation & The Risks of Relying on ChatGPT
While experimenting with WebSockets, I created a simple concept: users choose an emoji and move around a live-updated map, with each player’s position visible in real time.
To speed up development, I used ChatGPT to generate most of the code. Having been a developer for nine years, I typically review AI-generated code for potential issues—since ChatGPT, like any tool, can overlook crucial details.
This was one of those cases. The WebSocket setup transmits player data, including the x and y positions, directly from the client to the server. Without any server-side validation, this data is easily manipulated by anyone with basic web development knowledge. What surprised me was just how easy it is.
Here’s how it’s done:
- Open Chrome Developer Tools.
- Navigate to the "Sources" tab and locate the minified JavaScript file under assets.
- Search for the "playerMoved" event.
- Set a breakpoint just before the data is sent.
- Move your emoji and wait for the breakpoint to trigger.
- Modify the values as desired and resume execution.
This is what that process looks like:
While I found this exploration entertaining, it highlights a serious issue: developers relying too heavily on AI-generated code without thoroughly understanding the underlying concepts. This can lead to major security vulnerabilities, like client-side manipulation of game data.
You can check out the code here:
https://github.com/jackbader/emoji-wars
https://github.com/jackbader/emoji-wars-backend
Feel free to explore (or hack) the live site yourself:
https://emoji-wars-one.vercel.app/
Let me know what other exploits you discover!
Top comments (0)