xMrBear
|
  |
| Joined: 10 Oct 2011 |
| Total Posts: 358 |
|
|
| 18 Oct 2016 07:29 PM |
The title says it all...
Any ideas and suggestions? I have found out exploiters are able to do this in one of my game which results in corruption in gameplay.
Can the remote events be stored in the Server Storage and be called on a client script? |
|
|
| Report Abuse |
|
|
Dev_Ryan
|
  |
| Joined: 10 Mar 2013 |
| Total Posts: 243 |
|
|
| 18 Oct 2016 07:35 PM |
LocalScripts can't access ServerStorage, they can however access ReplicatedStorage, which is where I put my RemoteEvent and RemoteFunctions.
I also have it so server Scripts check the authenticity of the RemoteEvent or RemoteFunction calls from the client by checking a "key" which is a string of random letters and numbers that get passed from LocalScript to Server scripts, kind of like encryption but its just a simple string check (for now, until I can learn more about script security). Hope this helps!
|
|
|
| Report Abuse |
|
|
|
| 18 Oct 2016 07:36 PM |
Yes; you should store all RemoteEvents in ServerStorage
While you're at it, disable FE
https://www.roblox.com/library/359444683/H-W-A-Arrow |
|
|
| Report Abuse |
|
|
xMrBear
|
  |
| Joined: 10 Oct 2011 |
| Total Posts: 358 |
|
|
| 18 Oct 2016 07:42 PM |
Yes, this is where I have all my remote events and functions stored, however, exploiters still can access and fire them.
Could you please elaborate on your random key string idea? |
|
|
| Report Abuse |
|
|
cabbler
|
  |
| Joined: 19 Jun 2015 |
| Total Posts: 735 |
|
|
| 18 Oct 2016 07:50 PM |
| Are exploiters able to see what arguments the remoteevents normally fire? |
|
|
| Report Abuse |
|
|
xMrBear
|
  |
| Joined: 10 Oct 2011 |
| Total Posts: 358 |
|
| |
|
solar_DEV
|
  |
| Joined: 23 May 2014 |
| Total Posts: 2007 |
|
|
| 18 Oct 2016 08:07 PM |
| Generally yes, exploiters can see what the arguments you pass a remote event are. It really does defeat the point of trying to use a key to verify inputs. |
|
|
| Report Abuse |
|
|
Egzekiel
|
  |
| Joined: 10 Jan 2011 |
| Total Posts: 1079 |
|
|
| 18 Oct 2016 08:07 PM |
Use hashing method.
It consists of another argument in your function that is a hash (generated code usually really hard to bruteforce) and use a if statement to check if the hash is correct else it kicks the player.
|
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 18 Oct 2016 08:14 PM |
| Or just use FE how it's meant to use FE and don't give the client any power to begin with. |
|
|
| Report Abuse |
|
|
xMrBear
|
  |
| Joined: 10 Oct 2011 |
| Total Posts: 358 |
|
|
| 18 Oct 2016 08:19 PM |
| Can you give a more detailed example of the hashing method, please? |
|
|
| Report Abuse |
|
|
|
| 18 Oct 2016 08:25 PM |
local key = (math.random(1000000, 9999999)..""):rep(10)
local event = game.ReplicatedStorage.RemoteEvent event:FireServer(key)
https://www.roblox.com/library/322704057/Hillary-Clinton |
|
|
| Report Abuse |
|
|
|
| 18 Oct 2016 08:26 PM |
Fixed
local key = (math.random(1000000, 9999999)..""):rep(1000)
local event = game.ReplicatedStorage.RemoteEvent event:FireServer(key)
https://www.roblox.com/library/493199352/I-hate-trump |
|
|
| Report Abuse |
|
|
xMrBear
|
  |
| Joined: 10 Oct 2011 |
| Total Posts: 358 |
|
|
| 18 Oct 2016 08:27 PM |
Okay?
How would the remote event check if it generated the right code?
And since it is firing from the client, dont you think clients can make up the key? |
|
|
| Report Abuse |
|
|
cabbler
|
  |
| Joined: 19 Jun 2015 |
| Total Posts: 735 |
|
|
| 18 Oct 2016 08:32 PM |
| cntkillme how would you ever be able to send info to server |
|
|
| Report Abuse |
|
|
cntkillme
|
  |
| Joined: 07 Apr 2008 |
| Total Posts: 44956 |
|
|
| 18 Oct 2016 08:38 PM |
You validate it on the server, it's not a hard concept to understand.
|
|
|
| Report Abuse |
|
|
sparker22
|
  |
| Joined: 11 Mar 2010 |
| Total Posts: 846 |
|
|
| 18 Oct 2016 08:45 PM |
Yeah don't give the client any power.
If you have to receive data from the client, validate it as accurately as possible.
Don't be dumb with it, places like Redwood prison do it all wrong. It lets the client tell the server to give it guns. Like no ???? |
|
|
| Report Abuse |
|
|
Jash50
|
  |
| Joined: 14 Jul 2011 |
| Total Posts: 86 |
|
| |
|
xMrBear
|
  |
| Joined: 10 Oct 2011 |
| Total Posts: 358 |
|
| |
|
Praelance
|
  |
| Joined: 18 Oct 2016 |
| Total Posts: 607 |
|
|
| 19 Oct 2016 11:27 AM |
I believe you have the wrong attitude towards this. Allow me to explain.
When you think of using RemoteEvents & RemoteFunctions, think of it nothing more than as a request. The client is requesting the server to do something. To use an analogy, let's say you are the server and I am a client. I *request* that you give me $500. You, the server, are the authority figure.
Assume the client can and will send any data to the server. They are merely requesting an action to occur, which you have no obligation to fulfill. You should be verifying the input server-side.
I do not believe any of these key solutions are at all effective and I consider them to be security through obscurity, though I may be misinformed.
|
|
|
| Report Abuse |
|
|
|
| 19 Oct 2016 11:32 AM |
^ You're not wrong. It's also a waste of bandwidth Inefficient scripters should be banned!
https://www.roblox.com/library/493199352/I-hate-trump |
|
|
| Report Abuse |
|
|
xMrBear
|
  |
| Joined: 10 Oct 2011 |
| Total Posts: 358 |
|
|
| 19 Oct 2016 11:35 AM |
| I agree but there could be some solutions. |
|
|
| Report Abuse |
|
|
TimeTicks
|
  |
| Joined: 27 Apr 2011 |
| Total Posts: 27115 |
|
|
| 19 Oct 2016 11:41 AM |
It is as simple as verifying values on the server. Stop trying to over complicate it.
re.OnServerEvent:connect(function(plr,reason,val) if reason == 'Test' then if val > 5 and val < 10 then --blah else print(plr.Name..' is susected of exploiting',reason,val) --plr:Kick() end end end)
|
|
|
| Report Abuse |
|
|
xMrBear
|
  |
| Joined: 10 Oct 2011 |
| Total Posts: 358 |
|
|
| 19 Oct 2016 12:35 PM |
| I understand what you're coming from, however, I have been informed that exploiters could view the LocalScript. Dont you think they would be able to see reason and value when firing a server event from the client? |
|
|
| Report Abuse |
|
|
xMrBear
|
  |
| Joined: 10 Oct 2011 |
| Total Posts: 358 |
|
|
| 19 Oct 2016 12:39 PM |
For example, in order for an original script to work
re.OnServerEvent:connect(function(plr,reason,val) if reason == 'Test' then if val > 5 and val < 10 then --blah else print(plr.Name..' is susected of exploiting',reason,val) --plr:Kick() end end end)
you must state the reason and value in the LocalScript as it follows
clickDetector.MouseClick:connect(function(hit) game.Workspace.MyServerEvent:FireServer(REASON, VALUE) end)
which can be viewable for the exploiter |
|
|
| Report Abuse |
|
|
xMrBear
|
  |
| Joined: 10 Oct 2011 |
| Total Posts: 358 |
|
|
| 19 Oct 2016 12:43 PM |
| re:FireServer(REASON, VALUE) **** |
|
|
| Report Abuse |
|
|