Imagine a game where a player can fire a laser beam at another player. Example purchase flow from client to server through a RemoteFunction Weapon TargetingĬombat scenarios warrant special attention on validating values, particularly through aiming and hit validation. However, it's important that the server, the most reliable manager of the experience, confirms that the user has enough money to buy the item. When the button is pressed, you can invoke a RemoteFunction between the client and the server to request the purchase. In-Experience ShopĬonsider an in-experience shop system with a user interface, for instance a product selection menu with a "Buy" button. Two common examples are an in-experience shop and a weapon targeting system. In addition to validating types and data, you should validate the values passed through RemoteEvents and RemoteFunctions, ensuring they are valid and logical in the context being requested. For example, assuming the module's code exists as a ModuleScript named t inside ReplicatedStorage:īuyItemEvent.OnServerInvoke = buyItem Value Validation The module "t", available here, is useful for type checking in this manner. When using remote events/functions, you can prevent this type of attack by validating the types of passed arguments on the server. In some scenarios, this may cause code on the server listening to these remotes to error in a way that's advantageous to the exploiter. One attack path is for an exploiter to invoke RemoteEvents and RemoteFunctions with arguments of the incorrect type. Remember that an exploiter running their own code on your client can invoke these with whatever data they want. With the exception of certain physics operations, changes to the data model on the client do not replicate to the server, so the main attack path is often via the network events you've declared with RemoteEvents and RemoteFunctions. Clients can, of course, request the server to make changes or perform an action, but the server should validate and approve each of these changes/actions before the results are replicated to other players. Server-Side MitigationĪs much as possible, the server should cast the final verdict on what is "true" and what the current state of the world is. While defensive design obviously isn't a perfect or comprehensive solution, it can contribute to a broader security approach, along with server-side mitigation. Additionally, "spawn campers" are discouraged because they no longer get points for killing newly spawned players. I do agree, it could be a little time consuming at first but, once an exploiter has made a module to create a virtual workspace, they won’t need to create it again for each individual game since it should be reusable in almost every other game.Extra time and friction is now required for exploiters because they get no points for instantly killing their bots. Game.PROPERTY = SOME_VALUE - if a script indexes 'game', we'll check if it indexed for a property first ![]() Local game = setmetatable(, Metatable) - a separate table could be used to store other tables which will represent the children of `game`, these separate tables could use the same metatable as game. since the global 'game' has been replaced with a table, we aren't actually indexing game Replacing the global game with a table which has a metatable when game is indexed, _index is called (assuming it’s a function and, a property wasn’t indexed for) which will return another fake object (a table) which can also be indexed. They could have a virtual workspace using tables and metamethods (e.g. The exploiter could also spoof the checked values, but that adds a huge layer of complexity that would hamper all but the most experienced exploiters. This is just a theory, it may take some time for me to apply it fully. So the exploiters can’t predict what snippet they will get.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |