Original Thread: [EXPLOITING] How to prevent exploiters from abusing data store rollbacks and sanitizing against data store vulnerabilities
In my original thread I went over (hopefully) all the ways exploiters could abuse data rollback exploits and several patches you could use.
For this tutorial I instead created a place where you can abuse data rollback exploits with the knowledge learned from my original thread.
Data rollbacks are still a widely abused exploits in popular games and Roblox themselves have done an awful job explaining these issues. If you wanted to find out these attack vectors existed you’d have to look through the engine api and guide api but neither document any of these errors
If you wanted to find out these can be abused you’d have to dig through documentation, firstly you’d probably notice the error code reference and see “all the possible errors”, sadly this documentation is outdated and is also missing information. You’re told “Cannot store X in DataStore.” but unfortunately are not told what X is, it also contains an outdated error about string length only being allowed to be 65536, when the actual limit you can save is 4000000.
Unfortunately, we are still missing information, what can we save and what can we not save?
By reading the engine api for GlobalDataStore:SetAsync we can find that we can’t save invalid utf8, though we are still missing information, like what data types can we save? Unfortunately there is nothing documenting this and we have to find out ourselves.
Thankfully you don’t have to do that yourself and can just check out this other gist I made with all the types that save: What types can Roblox store? · GitHub
Roblox documentation referenced
Tutorial: Datastore Rollback Playground Course · GitHub
Playground: Datastore Rollback Playground - Roblox