In the exploiting community, I have seen a lot of scripts going around that unjustly charge or give money to themselves by manipulating data sent through remotes of poorly made client-server models.
This seems like a pretty important topic, and I would like to know what you guys think is the best way to have good client-server communication, keeping things (mostly) secure from exploiters. How do you usually do this? What has worked for your game?
2 Likes
In general you can think about the first 2 rules of client server interaction.
- Don’t trust the client
- Do NOT trust the client
Anything you put on the client should be expected to be changed in some way and thus you should react appropriately.
Following the rules (with some light exceptions like animations in UIs) that can push towards reducing the issues shown through exploiting.
Thinking like an exploiter can also help towards your goal, how can this be broken? How can I abuse it?
(Searching the DevForums may also be a good idea to gain an understanding)
2 Likes
How would you handle certain transactions, for example, buying some item with in-game currency? What is the most secure way? Clearly there are situations where you need to rely on the client to an extent.
It doesn’t seem to meaningful to ask for the “best way” to do X considering there are tons and tons of reasonable ways to do X.
Here’s what I suggest nonetheless:
-
Don’t make the client tell the server the price of something
-
Don’t have any remotes that give rewards without any server validation; this is just begging to get exploited. Say a client needs to complete a quest to get X amount of cash. If you do not do server checks an exploiter can abuse this
-
Do not trust the client, period. Ever. Always assume that all remote invocations are malicious.
2 Likes
Validate the price of the product on the server.
Validate the item they’re buying is the price they say
Give the item on the server and minus the money there
(incapaxx got to it first)
That’s what I was doing already. I guess i’ll just continue using it, thanks for the replies incapaxx and SovereignFrost.
I was kind of hoping there would be some specific server validation method you guys use but I guess the general concept is all you need
But any ideas or suggestions are appreciated
3 Likes
- User clicks button (and confirms that they want to buy it, if it’s needed)
- this sends a remote request they want to buy the item.
- only that item (Ref-ID, name, etc), no extra info, like said this means no price, no description.
- this sends a remote request they want to buy the item.
- The server will then validate it with a
- balance check
- spam check
- it’s a valid item, etc.
- The server will then respond with the fact that it was successful, or had an error.
@incapaxx
There are a few rare times where client trust is required. Animation on the client is one.
Outside of those rare exceptions yes, you should avoid trusting the client as much as you can.
11 Likes
Hai I’m rlly new to all this, so I don’t have much of an understanding of these remotes. (I’ve only began readin about this since i feel I might need to use this in one of my projects)
Culd it be possible that the user changes the “Ref-ID” of the item (to be something cheeper which they could afford at the moment) and send that to the server?
Ref-ID is what the server uses to determine what the client is trying to buy. The same way LocalScripts can change the Ref-ID to buy different things, so can exploiters. So yes, the user can change the Ref-ID they’re sending. That doesn’t impact anything else though.
Ref-ID is only used so the client can tell the server what item it wants to buy. The server handles cost and whatnot. The client would be unable to change the price or anything, only the item they want to buy.
1 Like
This post is pretty old but since it was bumped I thought this might help.
All we are doing on the client is sending some piece of data (i,e, an item name) to the server with purposes of buying said item. On the server, we verify that the item exists. I use a folder in ReplicatedStorage which holds all my shop items, each item has unique values such as price, description, display image, etc. Once we know that the item exists, we can do more server verifications such as:
- does the player already own this item?
- does the player have enough money to buy this item? (player cash >= item cost)
Once all checks are finished, then ONLY then do we grant the item, deduct the cost.
If there are any errors along the way, simply cancel the request and inform the player that something went wrong.
It may be desirable to add in additional client checks for sake of speed.
If you clearly don’t have enough cash to buy something then you don’t need to inform the server of a purchase request. Just don’t have the client send it in the first place. However, NEVER substitute server checks for client checks, that’s not what I’m saying. I mean both client checks and server checks. Don’t verify something on the client without having the server also verifying the same thing.
Here is what it looks like:
Client checks price > server checks price as well > successful purchase
not
Client checks price > server checks something else > successful purchase
The latter can be circumvented, while the former cannot.
2 Likes
i dont think like a exploiter, IM A EXPLOITER MUAHAHAHAHAHA, but yeah now im remaking my entire game from 0 cuz when i saw u say that i started doing that and i realized my game is soo exploitable people could basically get a infinite range kill aura if they wanted to with just 3 lines of code
1 Like