Is this script safe from exploiters?

DEX_Explore · January 5, 2023, 9:06am

What do you want to achieve?
I would like to secure this code security loophole with advice from DevForum!
What is the issue?
I made this code, but due to the limitations of my scripting skills, I don’t know if this code is safe from abusers.:<
What solutions have you tried so far?
I tried to prevent it somehow with group role id and passcode, but it seems to be insufficient.

This code is a script that gets information from clients and sends it to everyone! You can think of it as similar to the training notice system of the military game!
I would like to patch the security hole in this code with the help of DevForum!
Any help would be appreciated!

--Server
game.ReplicatedStorage.Remot.Announce.OnServerEvent:Connect(function(plr,Title,Role,Start,Location,Cohost,Host,Pass)
	local Group = plr:GetRankInGroup("Cool_id")
	if Pass == "DW12D-DGEBH-KLRB-12567" then
		if Group >= 155 then
			game.ReplicatedStorage.Remot.Announce:FireAllClients(Title,Role,Start,Location,Cohost,Host)
			--WebHook
		else
			plr:Kick("Bad Request")
			--WebHook[expliot]
		end
	else
		plr:Kick("Bad Request")
		--WebHook[expliot]
	end
end)

anon81993163 · January 5, 2023, 9:10am

I don’t count on it, especially if that thing somehow exists on the client scripts already. The decompiler can simply find it. Sanity checks do not involve arbitrary input from client, always server’s own values to check.

DEX_Explore · January 5, 2023, 9:29am

Thank you for answer! If the decompiler can easily bypass group ai checks and passcodes, is there an example of how to prevent it via sanity checks?

calvin_coco · January 5, 2023, 9:33am

I’m pretty sure exploiters can view any script, local or server, but they cannot view scripts in ServerScriptService or ServerStorage, so they could just copy the code and fire the remote event with the code they copied from the script.

SuguruDev · January 5, 2023, 10:52am

They cannot view actual Scripts, but only local scripts as Exploits are client sided.

SuguruDev · January 5, 2023, 10:54am

Exploits can stop Webhooks from being sent, Project Slayers original ANTICheat was purely made of Webhooks and no actual base. - It failed and was exploited in a matter of less than 10 lines.
The Webhook was blocked and no Alerts were sent.
This can be done by deleting the Remote that sends the webhook via and seeing what the remote is via Remote Spy.

Never trust the client, as Exploits are via Client side.

Edit:

The efficient way to stop them is to add an actual base to catch exploiters.
How ever, all anticheats will get bypassed one day or another and there is no way to stop it for now.

UNTIL Roblox initiates their ANTI Cheat they’re working on.l

majdTRM · January 5, 2023, 2:51pm

Just to be clear, what exactly is this scriot supposed to do?

What kind of security hole have you found and why would it be harmful?

What exactly does your password do? Why is it necessary?

SubtotalAnt8185 · January 5, 2023, 3:10pm

In your case, it is safe, but you can remove the passcode. This is because the group check is determining the rank of the player sending the remote, and it cannot be changed on the client.

Synitx · January 5, 2023, 3:39pm

Exploiters can use remote spy to track down events firing with their arguments, so theres no point of this random generated key/pass.

And the use of If statement is correct, but if you are creating a remote event for simulator games then please add debounce so it will help a little.
I’ve seen few devs putting debounce in client scripts instead of server scripts.

bluebxrrybot · January 5, 2023, 4:00pm

Exploiters can not view server scripts in any way. If the password is only on the server, it can’t be seen. So this script has good enough measures.

uwuCulturist · January 5, 2023, 4:01pm

as long as you’re checking the players rank in the group, you don’t need a remote key.

Synitx · January 5, 2023, 4:01pm

Its not, since you have to pass the key through the client script to pass it to the server, read the post above

bluebxrrybot · January 5, 2023, 4:05pm

Could you elaborate? I don’t really know why you’re telling me this. You need remote events for this.

xZylter · January 5, 2023, 4:08pm

RemoteEvent passwords aren’t useful. The client and server need to know the password for it to work. So the whole purpose is defeated by that.

bluebxrrybot · January 5, 2023, 4:13pm

By client, do you refer to the player behind the screen that actually knows the password? Or are you just talking about the client itself?

PahcaPower · January 5, 2023, 4:21pm

Hackers can look at a script if its client or server. This script is not safe unless put in ServerScriptService. I doubt the hackers would even understand this though. I think a passcode is good protection against the normal exploiter with absolutely zero scripting experience

bluebxrrybot · January 5, 2023, 4:23pm

Also, why wouldn’t hackers be able to understand this? They can be just as smart as you and me.

PahcaPower · January 5, 2023, 4:25pm

I just made the edit. The average hacker is just some 14 year old kid who found some script for da hood. They know nothing about how anything works…But yes, some exploiters do have knowledge, I understand that.

bluebxrrybot · January 5, 2023, 4:28pm

Well you’re right, that is the average hacker because there are so many free exploits. Hopefully this new anticheat roblox is adding will at least kill free exploits.

SuguruDev · January 5, 2023, 6:10pm

Its going to kill many of the big brand cheats you see today.
Im talking about even Synapse (The biggest Exploit on the market today) will be shut down for a good few months. - Due to how overpowered this new anticheat will be.