Lorem, ipsum dolor sit amet consectetur adipisicing elit. Qui, itaque voluptate ipsa non enim amet ducimus voluptatibus deserunt nam esse!
Hacky JS
Auditing Browser Game Memory with JavaScript: Speed Hacks and Score Manipulation

Auditing Browser Game Memory with JavaScript: Speed Hacks and Score Manipulation

pr0h0
javascriptbrowser-gamessecuritygame-hacking
AI Usage (88%)

Browser games look straightforward from the outside. A score changes, a character moves, and the UI keeps up. But the moment the browser is treated like a trusted game engine, you get room for speed hacks and score tampering.

I usually start from the opposite assumption: the DOM is presentation, not proof.

Why Browser Game State Is Harder to Trust Than It Looks

The browser can only enforce what it controls locally. If movement, timing, and score all live in JavaScript, the player can often inspect that state, change it, or replay it.

That does not automatically make the game insecure. It means you have to separate client hints from server decisions.

The impact usually shows up in two places:

  • faster-than-possible movement or cooldown bypasses
  • inflated score submissions that the backend accepts without checking

What “Memory” Means in a Browser Game

When people say “game memory” in a browser, they usually mean one of three things:

  • global variables on window
  • state inside a framework store
  • transient data in closures, timers, or WebSocket handlers

Unlike native games, there is no hard line between “debug view” and “runtime state.” DevTools can often expose enough to make the interesting parts visible.

The practical mistake is trusting anything that only exists on the client.

A Safe Test Setup for Auditing Score and Speed Checks

Use a local clone or a disposable demo build

Do not test on a live game account unless you have permission. I use one of these:

  • a local copy of the app
  • a disposable staging build
  • a demo game with fake scores and no real economy

That keeps the audit focused on behavior, not abuse.

Track the network, not just the DOM

If a score changes visually, that is not evidence. If the browser sends a score update, that is evidence you can inspect.

Open DevTools and watch:

  • fetch requests
  • XHR calls
  • WebSocket messages
  • request payloads and response codes

Where Speed Hacks Usually Slip In

Client-side timers and movement updates

Speed checks often fail when the game trusts setInterval, requestAnimationFrame, or a local cooldown timer.

A typical pattern looks like this:

let lastMove = 0;

function canMove() {
  return Date.now() - lastMove > 200;
}

function movePlayer() {
  if (!canMove()) return;
  lastMove = Date.now();
  // update position
}

That is fine for UI feedback, but it is not a security boundary. If the player can patch Date.now(), alter lastMove, or replace canMove(), the restriction is gone.

Frame timing, delta calculations, and replay gaps

Some games use delta time to normalize movement speed:

player.x += speed * delta;

That only works if delta is sane and the server can reject impossible motion. If the backend accepts a client-reported position after a gap in updates, the player may jump farther than intended and still pass.

The key question is whether the server replays or verifies the path, not whether the animation looks smooth.

Where Score Manipulation Usually Happens

Local variables exposed through devtools

A score often lives in a store, a closure, or a plain object attached to the app.

If I can run this in the console:

Object.keys(window).filter(k => /score|game|state/i.test(k))

that is already enough to find suspicious globals in many demos. I am not modifying anything here. I am just locating attack surface.

Unvalidated score submissions to the backend

The worse bug is when the client says, “I scored 9000,” and the server records it.

A safer design would submit events like:

  • item collected
  • target hit
  • level completed

Then the backend computes score from validated events. If the server only receives a final number, it has very little to verify.

JavaScript Checks You Can Run Without Breaking Anything

Read-only inspection of globals and stores

You can inspect state without mutating it:

for (const key of Object.keys(window)) {
  if (/score|game|player|state|store/i.test(key)) {
    console.log(key, window[key]);
  }
}

If the app uses a framework store, look for exposed state snapshots, not setters.

Monitoring fetch and WebSocket traffic

A safe audit script can wrap network APIs and log traffic without changing gameplay.

const originalFetch = window.fetch;

window.fetch = async (...args) => {
  const [input, init] = args;
  console.log("fetch request", input, init?.method, init?.body);
  const res = await originalFetch(...args);
  console.log("fetch response", res.status, input);
  return res;
};

const OriginalWebSocket = window.WebSocket;
window.WebSocket = function (...args) {
  const ws = new OriginalWebSocket(...args);
  ws.addEventListener("message", (event) => {
    console.log("ws message", event.data);
  });
  const send = ws.send.bind(ws);
  ws.send = (data) => {
    console.log("ws send", data);
    return send(data);
  };
  return ws;
};

This does not break the game. It just shows whether the client is reporting impossible values.

Comparing client claims with server authority

A good test is simple:

  • make the client claim an odd state
  • see whether the server rejects it
  • check whether the response is authoritative or just echoes the client

If the backend accepts a score that has no matching event trail, the trust model is wrong.

A Small Audit Script for Observing Suspicious State

(function auditGameState() {
  const keys = Object.keys(window).filter((k) =>
    /score|time|speed|player|game|state|store/i.test(k)
  );

  console.table(
    keys.map((key) => {
      const value = window[key];
      return {
        key,
        type: typeof value,
        preview: typeof value === "object" ? Object.prototype.toString.call(value) : String(value)
      };
    })
  );
})();

Use this as a starting point, not a payload. The goal is to locate where the game keeps its state so you can decide whether that state is purely cosmetic or tied to server-side checks.

What a Real Fix Looks Like

Server-side validation and replay resistance

The fix belongs on the backend.

For movement, the server should validate:

  • maximum speed
  • allowed direction changes
  • time between updates
  • impossible jumps after lag spikes

For scores, the server should verify event sequences, not trust a final number.

Rate limits and anomaly checks

Even with server authority, you still want controls like:

  • per-account rate limits
  • score outlier detection
  • replay protection on event submissions
  • signed or short-lived session tokens for game actions

These do not stop every attack, but they make client tampering expensive and obvious.

Conclusion

Browser game audits are mostly trust-boundary audits. The frontend may render the truth, but it should not define it.

If the client controls speed, score, and completion state without meaningful server checks, then the game is only as honest as the console is quiet. The practical fix is boring and effective: observe read-only first, confirm where the server decides, and move real authority out of the browser.

Share this post

More posts

Comments