- Expanding My Knowledge About Exploiter On Roblox -

Help and Feedback Education Support
, , ,
#1

As the title said, i would like to expand my knowledge about exploiters :man_technologist:, I’ve seen a few videos online, But i still have some questions that im not really sure how to answer, or where i can even found the answer.

My main request is: :exclamation:
can you link the best videos/documentations (In your opinion) that explain exploiters on a deeper level (e.g How to actually prevent exploiters inside your own game).
and answer my question below :point_down: (Feel free to correct me if im wrong about anything i said)

So for my current knowledge: :brain:
I know that exploiter can see everything inside the services that are replicated to the client, such as: workspace, replicated storage playerGUI etc’. They can not access server script no matter where they are.
Tey can manipulate any local scripts in any way they would like (including create new ones and changing existing ones).
They can only change their own (client) data (such as parts inside workspace), But if they have an ownership for some parts, They can change those parts to every player (The fix for this is just to prevent players from getting ownerships of parts)
I also know they can fire any remote event/function inside replicated storage(or wherever the remote events are), Which this is where most of the troubles are coming from.

Now my questions are: :question:

  1. How much should i care about exploiters? when should i stop them and when should i not? The obvious answer would probably be that i should stop them if the exploit makes them progress faster, or if they distrupt the gameplay of other players (flings for example), but should i also care if they, lets say change their own UI? or just change any of their screen visuals? for example: changing the coins TEXT (Not the actual data) to 1,000,000,000.

  2. How can i “be an exploiter” inside roblox studio for testing purposes?

  3. Can exploiters change custom attributes of parts?
    i happen to be making a game that have a lot of local parts (Simulator game), how can i make sure
    exploiters dont mess up the attributes? (Health attribute for example)

  4. last one, exploiters cant change other player local scripts, right?

My Biggest Problem: :sob:
the hardest part for me is to do sanity checks (which is like the only thing you can do to stop exploiters…), i am not really sure what and how i should check most of the times, and also how much control the explioters have, any documantions about that would be super helpful!
and to be honest, as a whole i feel like im really clueless about how exploiters work, so any helpful documantions about how exploiters work would also be really helpful.

I always try to avoid making long topics, though i failed this time, Hopefuly the emojies, numbers and the bold titles helped with this topic readability.
Thank you so much for reading all the way to the end! :two_hearts:

1 Like
#2

It should always be on your mind, ask yourself these when you are done with any system( data systems etc. ):
Would I care about someone exploiting this system?
If yes, then how could I breach this if I were an exploiter?

If your game is a socially interactive game or based on progress (simulators, tycoons etc.), then you should be catious a lot more.

Clients modifying their own UI never replicates to the server or other clients, I can’t think of a situation that it would be a problem unless you are using LocalScripts that are using that UIs data. The thing you should care about is how you structure that UI on the backend.

For example; if you have a shop UI, make it so that the server only listens to requests(purchase item request etc.) and not sensitive data(the price of the item etc.)
If you did have a ServerScript listening for the price, the client would be able to send any price data they would like and let’s say purchase the item for 0 currency, without even using the UI.

This is just a basic example by the way, I just tried to explain the general idea.

The most common way is using the built-in Command Bar, although it wouldn’t be 1:1 replication of a Roblox exploit because the security context level of exploits are usually* higher than it. You could also use plugins that allows you to execute custom threads in live game if you trust them*, which have higher context level than the Command Bar. Of course the perfect practice would be using an actual exploiting software but that is obviously against ToS and there is always a high risk of you getting viruses.

It is of course a good practice to test your systems as an “exploiter”, but there is no harm in keeping in mind that there isn’t any scenario that would require you to do so as of my knowledge. Exploits are always preventable by you (unless it’s Roblox’s vulnerability) if it’s server-sided and you know how to. If they weren’t, everywhere would be filled with exploiters and no game would be playable as intended. You just have to think of every possible vulnerability and/or fix them before it being abused.

Yes, however only for themselves.
You’ve said that they are “local parts”. If you mean they are created by the client (LocalScripts or Scripts with RunContext set to client.) by that, then it wouldn’t be replicated to the server so the server naturally wouldn’t be able to prevent anything from the client interacting with those parts.

Make sure that the parts exist for the server too and that the attributes are modified by the server.

Nope, they aren’t even replicated to them.

The main practice of making sanity checks on Roblox is checking the data sent by RemoteEvents or RemoteFunctions on the server side.

You can search about this topic in DevForum too.

Extra Sources:

3 Likes
#3

Thank you so much for taking your time to answer!! :white_heart: I will most definitely check out the links you’ve provided and I will keep exploring more on the topic!

1 Like