generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re: Filtering Enabled and Remote Functions - Exploitable?

Previous Thread :: Next Thread 
Whiteanger is not online. Whiteanger
Joined: 20 Dec 2008
Total Posts: 19
05 Sep 2016 08:42 PM
I'm currently developing a game in ROBLOX and a top priority for me is security. I understand the concept and implementation of Filtering Enabled and Remote Functions, however I'm speculative about how secure it actually is.

Let's say for example, my game can provide a user with the Staff of Administration when they click the Red button. When clicked, the Red button runs a localscript that triggers a Remote Function on the server, passing the Players name as an argument. If the Players name is included on the server, the server will add the Staff of Administration to the Player's backpack.

SO, if a Player has the ability to run their own localscripts from their client, could they theoretically create and run a localscript that triggers the same Remote Function and simply passes the name of an authorized user instead (ie. the Creator)?

Note:
This would potentially work because the Players NAME is being passed, rather than the actual Player object, so it would be simple to pass a string value of an authorized Player name (assuming it was known or discovered). I haven't researched this yet, but could a Player be created client-side which held the desired properties (ie. Player.Name = Creator)?
Report Abuse
KreoBox is not online. KreoBox
Joined: 24 Aug 2016
Total Posts: 356
05 Sep 2016 08:44 PM
The player object is automatically passed to the server, problem solved.
Report Abuse
Laedere is online. Laedere
Joined: 17 Jun 2013
Total Posts: 23601
05 Sep 2016 08:44 PM
try using a module script to require code inside of a local script


Report Abuse
SadisticNub is not online. SadisticNub
Joined: 05 Jan 2013
Total Posts: 4948
05 Sep 2016 08:46 PM
When you are designing your network model, assume the player will be able to send any data they want through your remotes (i.e exploiting them), and assume that it is entirely possible that any data sent over is 'fake'. In other words, never trust the client, and make sure you set up proper authorization. If someone can exploit your game by sending data to the server, you're doing it wrong.
Report Abuse
boatbomber is not online. boatbomber
Joined: 26 Oct 2012
Total Posts: 386
05 Sep 2016 08:47 PM
Well, if he has the right tools for it, theoretically, yes.
However, it is difficult, and I dont know if it is really possible via the available hacker tools. But in theory, I believe so, yes.
Dont worry, it wont be an issue.

Remember, 'theoretically' you can explode while reading this. But you needn't worry that, nor this.
Report Abuse
SadisticNub is not online. SadisticNub
Joined: 05 Jan 2013
Total Posts: 4948
05 Sep 2016 08:49 PM
" Well, if he has the right tools for it, theoretically, yes. However, it is difficult, and I dont know if it is really possible via the available hacker tools. But in theory, I believe so, yes. Dont worry, it wont be an issue." Oh boy, I hate to be that one guy, but you have no idea what you're talking about. Actually I love to be that one guy, ###### ## ######
Report Abuse
Whiteanger is not online. Whiteanger
Joined: 20 Dec 2008
Total Posts: 19
05 Sep 2016 08:50 PM
I understand that a Player object is passed by default, but what if I want to pass anything other than the default parameter? Do I have to pass the Player every time I make any Remote Function calls and verify their permissions to ensure the call isn't malicious?
Report Abuse
SadisticNub is not online. SadisticNub
Joined: 05 Jan 2013
Total Posts: 4948
05 Sep 2016 08:50 PM
ROBLOX butchered my sassy reply.

" Well, if he has the right tools for it, theoretically, yes.
However, it is difficult, and I dont know if it is really possible via the available hacker tools. But in theory, I believe so, yes.
Dont worry, it wont be an issue."

Oh boy, I hate to be that one guy, but you have no idea what you're talking about.
Actually, I do love to be that one guy; you're a moron.
Report Abuse
SadisticNub is not online. SadisticNub
Joined: 05 Jan 2013
Total Posts: 4948
05 Sep 2016 08:52 PM
"I understand that a Player object is passed by default, but what if I want to pass anything other than the default parameter? Do I have to pass the Player every time I make any Remote Function calls and verify their permissions to ensure the call isn't malicious?"

You don't need to pass the player; it's automatically the first parameter when you connect OnServerEvent to a function. Any other data will need to be passes as an argument of FireServer; and it is entirely possible that any data the client sends will be 'malicious'.
Report Abuse
Laedere is online. Laedere
Joined: 17 Jun 2013
Total Posts: 23601
05 Sep 2016 08:52 PM
use
a
module
script


Report Abuse
boatbomber is not online. boatbomber
Joined: 26 Oct 2012
Total Posts: 386
05 Sep 2016 08:52 PM
...wut
Report Abuse
Whiteanger is not online. Whiteanger
Joined: 20 Dec 2008
Total Posts: 19
05 Sep 2016 08:58 PM
boatbomber, you can't pretend a slim chance of a security breach isn't somethign to worry about. Something in regards to the security of my game could ruin the experience for anyone playing my game if the flaw was exploited.

Thanks SadisticNub, the idea that "the client can never be trusted" is a good practice to go by. Assuming that the Player is passed by default and there is no way for the Player to modify which 'Player' is being passed via their client call, I can regard Remote Functions as a safe procedure.

Assuming their used properly, of course :P
Report Abuse
Whiteanger is not online. Whiteanger
Joined: 20 Dec 2008
Total Posts: 19
05 Sep 2016 09:01 PM
Laedere, I have no idea how a ModuleScript would replace using Remote calls to secure a game. I believe your point is irrelevant.
Report Abuse
Laedere is online. Laedere
Joined: 17 Jun 2013
Total Posts: 23601
05 Sep 2016 09:03 PM
to my knowledge exploiters cant copy module scripts
meaning that you can require functions from a module script and call functions without exploiters knowing the arguments


Report Abuse
SadisticNub is not online. SadisticNub
Joined: 05 Jan 2013
Total Posts: 4948
05 Sep 2016 09:06 PM
You should be fine as long as you aren't doing anything stupid.

A classic example is an in-game shop.
Bad network model:
- Player wants to buy an item
- Client checks if player has enough money
- If player has enough money, fire the server to buy the item
- Server receives request to buy the item, gives client the item

Better network model:
- Player wants to buy an item
- Client checks if player has enough money; if so, fire the server
- Server receives request to buy the item; server checks if player has enough money / other security checks depending on the context. If so, grants the client's request to buy the item.

In the 2nd example, both client and server check if the player has enough money to buy the item. In the 1st example, this is only done locally, which is not secure. It's much better to check first locally (because there's no point sending a request in the first place if the client believes the player does not have enough money), and if the checks are passed, then fire the server. From there, the server should handle the rest of the authorization and authoritative logic. So yeah, moral of the story is don't trust the client.
Report Abuse
Whiteanger is not online. Whiteanger
Joined: 20 Dec 2008
Total Posts: 19
05 Sep 2016 09:16 PM
Laedere, the problem involves a call to a function directly from the client, which can't be avoided. The parameters being passed would change based on the choices of the client, which is what is to be expected in normal game flow. The issue resides in these parameters being modified by the client player and how to counteract that part of the situation. SadisticNub has provided a relevant example that covers my question, but I do appreciate your input!

Thank you everyone for your help.
Report Abuse
cxcharlie is not online. cxcharlie
Joined: 26 Aug 2009
Total Posts: 1414
05 Sep 2016 10:28 PM
Most of you guys are completely wrong

ModuleScripts replicated and can easily get stolen

The best exploits (that get cracked very often) have the ability to use a custom function called 'GetRawMetatable' which basically returns the metatable of anything -including userdata like a Remote object.

This can then easily manipulate the data being transferred through the remote:

local m = getrawmetatable(remote)
local fire = remote.FireServer
m.__index = function(s, i)
if i:lower() == 'fireserver' then
return function(self, ...)
print(...) --u can manipulate and see the tuple arguments
fire(...)

...
so basically remotes without some kind of encrypted data being sent can easily get manipulated

Report Abuse
cntkillme123 is not online. cntkillme123
Joined: 10 Feb 2013
Total Posts: 539
05 Sep 2016 10:31 PM
"ModuleScripts replicated and can easily get stolen"
If they're in Workspace or whatever then yes, obviously they won't get replicated if they're in ServerStorage/ServerScriptService

"The best exploits (that get cracked very often) have the ability to use a custom function called 'GetRawMetatable' which basically returns the metatable of anything -including userdata like a Remote object. "
The 'best exploits' lmao you do realize it's easy to get the metatable without having to do any work. Anyone can do it, not the 'best' lmao.
Report Abuse
cxcharlie is not online. cxcharlie
Joined: 26 Aug 2009
Total Posts: 1414
05 Sep 2016 10:36 PM
Well apparently only few exploits support it and they're expensive :/

Also there was a bypass to the ServerStorage/SSS with inserting Roblox Gear (FE compatible ones that contain localscript,serverscript, and some remotes)
Basically you changed what the remote from returned from the server (like children of serverstorage)

however, you could just patch this with FE enabled
Report Abuse
cntkillme721 is not online. cntkillme721
Joined: 17 Sep 2009
Total Posts: 351
05 Sep 2016 10:38 PM
Well I mean if you're not using FE in the first place then it's entirely your fault but sure.
Report Abuse
Wowgnomes is not online. Wowgnomes
Joined: 27 Sep 2009
Total Posts: 26255
06 Sep 2016 12:18 AM
just dont trust client


Report Abuse
Whiteanger is not online. Whiteanger
Joined: 20 Dec 2008
Total Posts: 19
20 Sep 2017 10:53 PM
Let's say, for example, a player can click on a part and have a value in the leaderboard increment by a certain amount based on the part they clicked. The server would manage everything related to the actual increment of the stored value as well as the leaderboard update, and the client's only job would be to trigger a RemoteEvent based on the part clicked so that the server could determine what to increment the stored value by.

The inconvenient part of this solution is that I now need to wire an individual RemoteEvent for every different increment value I'd like to handle. Is there a way of wiring all the different parts to the same RemoteEvent and hard-coding a value to pass to the server that can't be modified by the client?

Report Abuse
XxStarverxX is not online. XxStarverxX
Joined: 08 Oct 2010
Total Posts: 711
20 Sep 2017 10:57 PM
[ Content Deleted ]
Report Abuse
Whiteanger is not online. Whiteanger
Joined: 20 Dec 2008
Total Posts: 19
20 Sep 2017 11:04 PM
XxStarverxX there's nothing appropriate about relating people with autism to players that attempt to find ways of exploiting Roblox games.

Players are not able to access resources housed on the server unless stored in a location that explicitly copies files from the server to the client. I made it explicitly clear in previous posts that I'm aware that the player is passed as the first parameter by default when using Remote Events.

Your solution is not actually relevant to the question I proposed.
Report Abuse
JarodOfOrbiter is not online. JarodOfOrbiter
Joined: 17 Feb 2011
Total Posts: 20029
20 Sep 2017 11:17 PM
Having fun, guys?

"try using a module script to require code inside of a local script"
That is irrelevant.

"Well, if he has the right tools for it, theoretically, yes"
Read Sadist's reply.

"I understand that a Player object is passed by default, but what if I want to pass anything other than the default parameter? Do I have to pass the Player every time I make any Remote Function calls and verify their permissions to ensure the call isn't malicious?"
It isn't the "default parameter", it is sent no matter what. You need to handle it on the server, again, no matter what.

"use
a
module
script"
Irrelevant. That solves nothing, did you even read the initial post?
Or do you not understand the client-server model? You can't just use a ModuleScript inside of a GUI, it won't work.

"you can't pretend a slim chance of a security breach isn't somethign to worry about."
It isn't something to worry about. The chances of it happening are quite slim, your game is not yet popular, and it is ROBLOX'S job to take care of hackers. They've gotten quite good at it, don't pretend their security is weak anymore. They will fix issues.

"Laedere, I have no idea how a ModuleScript would replace"
You and me both. For the record, I typed "irrelevant" before I scrolled down to your post. Great minds think alike?

"to my knowledge exploiters cant copy module scripts"
They can, just as easily as a LocalScript. Even if that wasn't the case, hackers can still read the Remotes firing. Current hacks that utilize remotes don't read source code, because source code is hard to obtain now. It's irrelevant.


"As for OP's question, the player parameter is passed automatically just check if the name of the player matches a table on the server, problem solved."
"Your solution is not actually relevant to the question I proposed."
Actually, it is.
"Players are not able to access resources housed on the server"
You don't verify their name in the LocalScript, you verify (to quote Starver, "check if the name of the player matches") in a regular Script on the server.




Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image