generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re: Why is HttpGet and HttpPost locked?

Previous Thread :: Next Thread 
mew903 is not online. mew903
Joined: 03 Aug 2008
Total Posts: 22071
12 Jul 2012 10:17 PM
I don't see why it would be a big deal.
Report Abuse
gokoolaid is not online. gokoolaid
Joined: 22 Apr 2009
Total Posts: 2361
12 Jul 2012 10:19 PM
Because you can do some pretty undesired things with them. People here are crafty, and that would allow the game to communicate outside of ROBLOX 'owned space'

Report Abuse
mew903 is not online. mew903
Joined: 03 Aug 2008
Total Posts: 22071
12 Jul 2012 10:25 PM
Well couldn't they work the method to where they can only communicate with roblox owned servers?
Report Abuse
Quenty is not online. Quenty
Joined: 03 Sep 2009
Total Posts: 9316
12 Jul 2012 10:27 PM
What if you used HttpGet() to download a virus to everyone's machine through a hack and a cloning of a local script into every player's 'PlayerGui'?

Yep.

I'm glad ROBLOX locked that one.
Report Abuse
mew903 is not online. mew903
Joined: 03 Aug 2008
Total Posts: 22071
12 Jul 2012 10:29 PM
@Quenty
Can you even access someone's machine from in-game?
Also, like I said, roblox could make the functions work to where they can only reach data from roblox's online servers.
Report Abuse
gokoolaid is not online. gokoolaid
Joined: 22 Apr 2009
Total Posts: 2361
12 Jul 2012 10:31 PM
Hmm... I don't think so... you use to be able to get IP's until they updated that.

But hey, people are crafty, but those methods will stay locked, and honestly, that's how I like them. If you wanna access ROBLOX stuff, there's methods for that.
Report Abuse
Quenty is not online. Quenty
Joined: 03 Sep 2009
Total Posts: 9316
12 Jul 2012 10:42 PM
I just explained how. You insert a local script into their player GUI, using a corescript, you got from .dll injections.

Since HttpGet() just loads a page, it'll load a virus...

Furthermore, HttpPost() could be used to send information from the player's input (Even by accident) to your own server, personal information put into the game without them knowing it could be replicated (Hey, 10 year olds are ignorant!).

I like it how it is.

Period.

Also, you can do....

for i=0, math.huge() do
HttpGet("http://www.roblox.com")
end

Thus crashing ROBLOX! Or they could run a script that removes all your hats.

People might also try....


HttpGet("javascript;")

Or even more stuff.

Let's just say, there are many ways to exploit it.
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
12 Jul 2012 10:48 PM
With the old HttpGet, you could get anything. Including executables, illegal videos (if you know what I mean...), keyloggers, trojans, etc....

Remember when there was that virus outbreak in the ads here a couple of months ago? They nearly got sued for that.

Now, imagine if there's a guy with a good thousand dollars stored on his CC. He has a kid who plays ROBLOX on his family computer. Got it? Let's say he buys a book on Amazon after his kid finishes playing. Problem? The game his kid played installed a undetectable keylogger, and now somebody on the other side has his login details to Amazon - and as a byproduct, his CC information. Now remember, this is even before he ran a virus scan. Who do you think he would blame when he found out what happened? The kid, no doubt - who probably has no idea what happened, but most importantly - ROBLOX. There would be blogs out there saying ROBLOX is a scam, that their program destroyed their computers, that they shouldn't be trusted.

Not only that, but remember Lua is a functional language. If you have a while loop and an ability to access the Internet, you instantly have an ability to DoS servers. What If you make a really popular place with some malicious code embedded inside? That becomes a DDoS. And whose IP shows up in the logs? Not yours. ROBLOX's. And you can only imagine what hell can come from that.
Report Abuse
popinman322 is not online. popinman322
Joined: 04 Mar 2009
Total Posts: 5184
12 Jul 2012 10:52 PM
... You could always just get Lua to load a string like machine code (calling it like a pointer) and force a user to save your place to their machine...
Report Abuse
popinman322 is not online. popinman322
Joined: 04 Mar 2009
Total Posts: 5184
12 Jul 2012 10:53 PM
HttpGet and HttpPost can only access *.roblox.com sites.
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
12 Jul 2012 11:04 PM
Even worse - you can still DDoS/DoS the site. Which I guess is the only reason standing now, since nothing said before matters now because only ROBLOX links are allowed.

Correct me if I'm wrong, but would modifying the hosts file to point roblox.com to a personal server therefore allowing you to use HttpGet with your own files?

HttpGet is unlocked with higher level scripts, right?
Report Abuse
popinman322 is not online. popinman322
Joined: 04 Mar 2009
Total Posts: 5184
12 Jul 2012 11:07 PM
Y u wuld sabotage ur own seestem?
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
12 Jul 2012 11:14 PM
I'm not saying that, but, wait...

If you do have an external server with a custom protocol and using my idea, you could theoretically use ROBLOX as an adminstrative tool to control running processes, reboot/shutdown the system, even run console commands..

Oh, the joy of using things for what they weren't intended for.
Report Abuse
popinman322 is not online. popinman322
Joined: 04 Mar 2009
Total Posts: 5184
12 Jul 2012 11:16 PM
> Oh, the joy of using things for what they weren't intended for.

Haha, yeah. x3
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
12 Jul 2012 11:21 PM
"Hey, what program do you recommend for administrating Linux systems remotely?"

"Ummm, well, it's this game called ROBLOX..."

"A game? WTF? Why did we hire you? GET OUT!"

Hehe.
Report Abuse
NecroBumpist is not online. NecroBumpist
Joined: 12 Sep 2010
Total Posts: 4198
12 Jul 2012 11:23 PM
With Post/Get unlocked we should make an ROBLOX SSH client :3

http://yourIP/exec?code=sudo rm -rf /
Report Abuse
belial52 is not online. belial52
Joined: 10 Oct 2009
Total Posts: 8074
12 Jul 2012 11:24 PM
HttpGet and HttpPost locked.

All you have to do is get a client with command bar with elevated permissions.
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
12 Jul 2012 11:27 PM
@Necro

Uh-uh-uh!

http://yourIP/exec?code=sudo+rm+-rf+%2F

Much more feasible :3


Also, y u no use format
Report Abuse
JulienDethurens is not online. JulienDethurens
Joined: 11 Jun 2009
Total Posts: 11046
12 Jul 2012 11:47 PM
The player is technically logged on ROBLOX, right?

So all requests sent with HttpPost are sent as if the user was logged on, right?

And you can send requests with HttpPost to the ROBLOX website, right?

So you could make actions be performed on behalf of any logged on user (non-guest) who visits your place, right?
Report Abuse
lmb32 is not online. lmb32
Joined: 27 Nov 2008
Total Posts: 63
12 Jul 2012 11:50 PM
That "right?" is more like an affirmation
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
12 Jul 2012 11:51 PM
@Julien


ROBLOX isn't a browser. It doesn't implement cookies. That being said, the headers would have to be modified so you can put in a cookie with a valid session ID, otherwise all POST requests involving player actions would simply cause a redirect to the login page.

So, no.
Report Abuse
belial52 is not online. belial52
Joined: 10 Oct 2009
Total Posts: 8074
13 Jul 2012 12:00 AM
@Techboy,

game:GetService("CookieService")

Ok?
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
13 Jul 2012 12:09 AM
@bel

I feel like an idiot for actually trying this. Lol.
Report Abuse
belial52 is not online. belial52
Joined: 10 Oct 2009
Total Posts: 8074
13 Jul 2012 12:38 AM
@Tech, Too bad it actually is a service for setting a cookie. I believe that it is used mostly for tracking the games you've been to.
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
13 Jul 2012 12:50 AM
Okay, on a serious note, are you just trolling or is this real?
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image