How to prevent exploits

But, there are tools like remote spy for finding the event and if it’s being fired from a local script, they can access it and get the key.

What I mean is, something like this:

Event:FireServer("XD_Ef24")

Is that exploitable?

Screen Shot 2021-03-21 at 4.25.02 PM

Remote spy shows arguments, so they could see

"XD_Ef24"

1 Like

This is highly exploitable, if you are just testing the string to match.

There is no way to pass a “safe key” or anything of that sort. Assume the client is always an exploiter instead.

The client should never be allowed to change any value without verifying it in the server extensively first.

For example, if the client is buying a item, you would first check if they have enough cash and then fire the server the item the client wants to buy. The server would then verify first that the item exists, is valid, and that the client is able to purchase it. Only after verifying the request should the server carry it out.

The only reason you perform validation on the client is for updating the UI without having to request the server and wait for a response. The server is always the end all be all for whether a request is valid or not.

2 Likes

But. How would you verify a checked status.

There’s no generic one-solution answer to that question. I’d need more specifics than that.

What do you mean by ‘checked status’?

Also, generically preventing all exploits isn’t really possible. Telling us what specifically you want to prevent is a better choice.

What exactly are you trying to prevent?

I’m trying to prevent leaderstats from being hacked, by the values on the client

Adding values or changing the values completely? Like say adding 100 million points or changing points to hacked.

Yes. I’m trying to avoid hackers from changing their stats or player stats that is on the client side, that shows the folder that contains the leaderstats.

You don’t need to do this, it’s client sided. It will only happen to them, if you handle anything shop related (like buying items) on the server, then your ok. If they change a value on their client, it won’t replicate to the server due to Filtering Enabled. Just handle anything purchased with in game currency on the server and your good to go.

I have a save system for my DataStore. So when they change the values on the client it saves. Which makes it hacked. So how do you fix that?

Your data store is on the server. I’ll test adding cash now with my own datastore and see if that replicates through the datastore.

Ok, so depending on how your datastore is set up, this won’t replicate.

How I have mine set up is every time the cash changes for a player, it saves the data. (this is on the server). I don’t suggest doing this if your constantly adding cash to the user as it will result in queues.

If your datastore is set up correctly then no this won’t actually replicate through to the datastore as it’s picking up the changed event.

TL;DR: See below

You should be saving data on the server, not the client. Values will not replicate from client to server unless you have unsecure remote events that allow the client to modify the server value as well.

Can I show you my DataStore on discord with screen share?

I can’t really accept friend requests as I simply get too many. If you send us your script here, we might be able to look into it.

If your not sure about how safe your datastore is or if your doing it wrong, I suggest you read up on the following topics:

and use this video to help:

1 Like

Okay, Thank You. I appreciate it.

1 Like

You shouldn’t worry too much about that as exploiters have the ability to counter anything you secure on the client-side (using a localscript).

They won’t be able to change their leaderstats globally (for everyone), only on their client (unless you’re letting the client fire a remote event to update the leaderstats, which is a BAD idea if it doesn’t have any sanity checks), and in general, let the server handle it.