Help needed for a exploit/security vulnerability

Awhile back I made a dialog system for my game, and created string codes that let the dialog manipulate the game (like quests)

The way i inplemented this is horribe, The player can just insert these lines with an executer and they can now have access to most things:

-- Using bytenet for networking
local Netwok = require(game.ReplicatedStorage.Network)

Netwok.Dialog.OptionPicked.send({ActionId="?panel.allow:AuthTest",DialogId="",Option=""})

(for abit of context panels are a feature in my game)

This can allow players to skip important things in the game, which is kinda bad. While they cant get access to dev stuff, they can get access to almost anything.

I know this may sound stupid to alot of you, But im not very experienced with security or exploiting, so I dont know what will work and what wont work.

If you can, please tell me ways to do a simular function securly, that way exploiters wont get overpowered things with this vunerability. Its kinda hard for me to find a solution for this.

1 Like

Never trust the client.

When writing code where the client sends information to the server, always validate that data on the server and compare it against what should actually be possible.

For example, if you are making a weapon system and the player sends the server where they shot from and who they hit, the server should verify that information instead of blindly accepting it. You could check the distance between the client-provided origin and the player’s actual server-side position:

(ClientOrigin - Character:GetPivot().Position).Magnitude

Something around 10 studs may be reasonable, though you may need to adjust this or add prediction depending on the type of game.

Another issue is if the client forces the second parameter to be the player they supposedly hit. If you only validate this on the client, the server may accept it without question. To prevent that, the server should perform its own raycast from the client origin toward the hit position and confirm that the target could actually have been hit. You can also check whether the hit position is close enough to the enemy, but this check should usually be more lenient than the origin check to account for movement, lag, and prediction.

This is just a basic security example. For your dialogue system, you should apply the same idea: validate every parameter on the server against what is actually possible. For example, if the client sends an ActionId, check whether the player actually meets the requirements for that action before allowing it. I am not fully sure how your dialogue system is structured, so I cannot give exact advice without seeing it.

Another option, mainly as a deterrent, is encrypting or obfuscating the data you send through ByteNet. Also, ByteNet has been known to have some crashing vulnerabilities, so be careful with how much you rely on it.

3 Likes

This seems to be feasable for me, Thanks. Ill have to redo some of the logic, but I think i can make it work.

1 Like

Im not having alittle trouble understanding what this means, can you please elaborate abit? Im more intrested in this option with encrypting. but I dont know how it would actually play off… What would i be encrypting in the first place is the real question im asking.

You would encrpyt what you send in Base64, buffers, etc. Basically making it harder for people with remote spies to just easily see the arguments you are sending. Like I said before, this will stop basic exploiters, but anyone with a brain would be able to easily work around this, so its more of a honeypot.

4 Likes