Scripting Helpers is winding down operations and is now read-only. More info→
Ad
Log in to vote
1

Are mutating keys good enough for sanity checks in client to server remote events?

Asked by
Rheines 661 Moderation Voter
5 years ago
Edited 5 years ago

I've been working on with RemoteEvents lately, and it is generally recommended that there should be reasonable sanity checks in order to make the game exploit-proof. I can generally do these sanity checks, but I want to ask your opinion of a (maybe) simpler way where the client needs to send a key to the server as an argument, and checks if that key matches a StringValue stored in ServerStorage that changes itself every 1-5 seconds. If not, then it returns and cancels the function. Is this method good or bad?

0
Honestly,this really doesn't make sense to me, there are two scenarios here, you randomize the keys have only have the remote event work a fraction of the time, as localscripts cant detect changes to things in server storage, and the second scenario, you have a mechanism of sending the correct keys on the local script itself, which an exploiter can easily use to fire the remote events theking48989987 2147 — 5y
0
makes sense Rheines 661 — 5y
0
A more sensible approach would be to check if the values being sent to the server are nonsensical, say, checking if an exploiter is sending a negative value for them to a take damage function or sending an astronomically high number for a stat increase function. You can use existing stats on the server to check if a player is manipulating the values or not theking48989987 2147 — 5y
0
I didnt think this deeply enough Rheines 661 — 5y
0
This is security through obscurity, which is generally discouraged. fredfishy 833 — 5y

1 answer

Log in to vote
2
Answered by
brianush1 235 Moderation Voter
5 years ago

No, this is not a proper sanity check.

An exploit could get the source of the localscript, find out how the localscript gets the key from the server, and bypass your checks entirely. While it will stop 90% of exploiters, it only takes one to find out how to do it. The only thing sending a key does is increase bandwidth.

Let's say you're making a rocket. When the client tells the server where the rocket fired, the server could check that the rocket firing position is within ~5 studs of the player. If it's not, the server would not fire the rocket, but it would not kick the player because false positives do happen. The client could then resend the request and it would fire the rocket properly. That way, an exploit can't just fire the rocket from any random position it wants.

Now, if your key is sufficiently short (10 characters or less), it could prove to be a real challenge to most exploiters and not increase bandwidth by too much. However, it shouldn't be your only line of defense if you do decide to use it.

0
Why even include the position of where you're firing the rocket from? Include the target and let the server work it out from where the player character is. fredfishy 833 — 5y
0
Because the player's character won't be at the same position on the server as the client, and in a combat game that could affect the player's experience. Also, angles are an issue. brianush1 235 — 5y
Ad

Answer this question