Hackers/Exploiters

collector · April 27, 2021, 1:07am

I’ve looked at a lot of forum posts, and sometimes I see things about vulnerabilities to hackers/possible exploits when placing things on the client side rather than the server side. What do I need to keep in mind while designing my game to mitigate the possibility of exploits? How often does this kind of thing happen, and what negative outcomes can/usually do occur?

SSSpencer413 · April 27, 2021, 1:10am

Basically, the golden rule is:

Never trust the client

Exploiters have complete control over their client and are able to fake requests to remote events and mess with things under their control (i.e. local scripts).

When designing a system, just make sure to sanity check on the server. If the client suddenly moves 10000 studs in less than a second, check that on the server. If the client says that they shot a person with their gun, make sure that the server checks if it’s possible to shoot the person from the client’s position.

Exploits happen all the time, and can typically lead to negative player experiences if you don’t handle it properly.

THECOOLGENERATOR · April 27, 2021, 10:50am

Remember one thing:

NEVER. TRUST. THE. CLIENT.

Think of it this way. Would you grab a random person in a server, and give them admin? No? Well, that's what you'd essentially be doing by trusting the client with precious information, especially when relevant to other clients.

(Alright, maybe that was a little overexaggerated, but you get the point)

So, you need to refrain from handling things like shop systems, admin systems etc. too much on the client. Also, make sure to make anti-exploits server-sided.

p49p0 · April 27, 2021, 10:57am

imagine making a ban panel from client to server, the exploiter can just fire the remote and ban everyone

THECOOLGENERATOR · April 27, 2021, 11:00am

Atleast you can’t handle DataStores on the Client. Imagine beginner scripters trying to make ban systems, and just handling it all on the Client

p49p0 · April 27, 2021, 11:01am

remoteevent is the hero for the exploiters

THECOOLGENERATOR · April 27, 2021, 11:03am

It’s also their greatest weakness. Remember the reason RemoteEvents are there in the first place, for client-server communication. Without that, local scripts would have to be able to access server scripts directly

TFlanigan · April 27, 2021, 11:05am

do server side checks, for example if you want to make a shop, instead of checking if player has enough money on the client, do it on the server

p49p0 · April 27, 2021, 11:05am

RemoteEvent.OnServerEvent:Connect(function(player, variable)
  -- hackers is the person who fires it
  -- idk how the exploit works but
  if (player.Name == 'robloxgamer123') then
    print('it is an admin')
  else
    print('sus!')
  end
end)

THECOOLGENERATOR · April 27, 2021, 11:07am

lol I didn’t mean that RemoteEvents didn’t assist exploiters, I just said that they were kinda weaknesses as well. Also we should stop before this gets too off-topic