Are exploiters able to modify the game on the server?

I’m sorry if this topic is in the wrong place, i’m not sure if this is the right place.
So I’ve been studying Filtering Enabled for a bit now, and also studying exploits too. What I’ve found is that there are a lot of level 7 exploits, meaning that it can source. But exploits only run on the client side. So my question is, can exploiters a server script (on the client) in workspace, source it (security level 7), and modify the game on the server?


Exploits don’t really have a level. When people say “level 7”, this refers to the security context level that the exploit is running on. Don’t worry about the whole leveling thing, it’s not necessary to know. Assume exploiters can do anything and everything on the client.

You have it down, exploits are client-sided and can only be that way. Exploiting is to, by definition, take advantage of. These programs take advantage of the inherent fact that clients have full control over their machines and can do as they please, including running foreign code as if it was normal game code.

For your question: clients can make new script objects but the code put in them will not run. Exploiters typically will not tie their exploit code to an instance to begin with, so your security checks will be revolving around what the client is doing rather than what it can but doesn’t add.

Clients are unable to modify the game on the server except in these cases:

  1. The client is authoritative of an instance. This means that what they do to this instance will replicate (be shown) to others. For example, because clients are authoritative of the physics of their character, they can modify how fast they move.

  2. Your game structure is poor and has no security. Clients will be able to fire off remotes and the server will process these requests; without any security or validation, it will assume the requests are valid and perform the actions needed of it.