It's possible Exploiters intercept and fire BindableEvent (Server to Server)

Iam creating a game like Power simulator, and i created training areas, when player enter on Part i fire BindledEvent (inside workspace), so when that fire my Script on ServerScriptStorage receive the values and start the player training

Part :

    local touching = false
local StartTraining = game.Workspace:WaitForChild("StartTraining")
local StopTraining = game.Workspace:WaitForChild("StopTraining")

local module = {}
    function module.Get()
	   return touching
    end
    
    function module.Training(player,amount,Part,Stat,Touchings)
	   touching = Touchings
	   if touching then
		  StartTraining:Fire(player,amount,Part,Stat)
	   else 
	     
	   end
    end
return module
ServerScriptService :

     --training events--
local AutoTraining = {}

local function increaseStats(Player,Amount,Stat)
	while true do
		wait(1)
		if not AutoTraining[Player.UserId] then return end 
		
		ServerData[Player.UserId]["Stats"][""..Stat]["Value"] = ServerData[Player.UserId]["Stats"][""..Stat]["Value"] + 50
		print(ServerData[Player.UserId]["Stats"][""..Stat]["Value"])
	end
end

local function checkIsTrainingArea(player,Amount,Part,Stat)
	 print("checkingg")
	 print(Amount)
	 local touching = Part:GetTouchingParts()
	 local ValidPosition = false
	 for i=1,#touching do
		if touching[i] == player.Character.HumanoidRootPart then
			ValidPosition = true
			break
		end
	end  
	
	if ValidPosition == true then
		AutoTraining[player.UserId] = true
		increaseStats(player,Amount,Stat)
	end  
	ValidPosition = nil
	touching = nil
end

local function stopTrainingF(Player,Part)
	local touching = Part:GetTouchingParts()
	 local ValidPosition = false
	 for i=1,#touching do
		if touching[i] == Player.HumanoidRootPart then
			ValidPosition = true
			break
		end
	end
	
	if ValidPosition == true then
		AutoTraining[Player.UserId] = false
	end
	ValidPosition = nil
	touching = nil
end

StartTraining.Event:Connect(checkIsTrainingArea)

I Will put more security If Exploiters can fire that, If not i wont, so they can or no ?

1 Like

By the looks of it this is all on the server so no they cant access or modify it, only if your using Remote Events in your game to talk between client and server just make sure to put checks on the server and remember to never trust the client.

1 Like

I’m not an expert on this, but I don’t think they can. Just to be safe, I put events in ServerStorage so it doesn’t replicate.

You dont need to worry about that, when the client fires a bindable event meant for the server it isn’t being listened for on the client so nothing will actually happen. You can test this in game by making a TextBox and Button and then using loadstring(text from texbox) and inserting the script to fire the bindable event.

1 Like

My BindledEvent is inside Workspace (the part and modulescript too), so this is safe?

This is safe as long as your calling the function in the module from a server script.

EDIT: Nevermind it doesn’t even have to be from Server Script it can be from the Client and still be safe.

Iam calling from a server script (inside the Part), so anyway is safe, and thanks i already made 4 posts in a row and everyone helped me, i love this forum (only 1 post i got ignored)

Exploiters:

Scripts = no
ModuleScripts = no
LocalScripts = yes
BindableEvents = no
RemoteEvents = yes

Well, obviously depending of which functions and events you use in the Scripts, the Exploiters could access.

1 Like

This is dependent to be honest.

Edit example:

Someone has a bindable event from client to client. They aren’t good with security so they make tools locally and when this bindable remote is fired they give a tool. Since this is now client to client the bindable event is exploitable.

1 Like

I don’t really know why you’re putting BindableEvents and ModuleScripts in the workspace, but your answer is in the question. It’s server to server. A client cannot intercept it at all. The client and the server each essentially have their own division of connections with a BindableEvent. Read it’s page for more information.

2 Likes

Idk, iam New on Lua (litteraly 3 days), so i dont know If have problem put modulescript and BindledEvent on worskpace, where should i put?

It would be better suited to place Remotes and Modules in ReplicatedStorage.

But ReplicatedStorage is on client, isnt it ? And why is recommended?

ReplicatedStorage is both visible by the client and server. The reason its recommended to put Modules in there is because Modules can be used by the Client or Server so its easier to place them all there to be used. As for your Bindable Events and Remote Events it is just easier to keep them all there so the server and client can see them incase you want to use them on either the server or client.

It doesn’t really matter where you place them, but it just keeps your game neat. Another option for Bindable Events is ServerStorage if they aren’t being used by the client.

It depends on what kind of access you’re facilitating for each item. If the BindableEvent is just intended for the server, put it in ServerStorage in a folder called Events. The ModuleScript can go into ServerScriptService in a folder or by itself if only the server is using it.

1 Like

Clients cant acces auto trainings, but when i create the Manual training (you need click to get Stats), i will need use remot event or function, idk wich will be better on that case

I think you know How that work since you played Super Power Simulator

Are you going to be clicking the button to check your stats or to increase your stats?

Increasing your stats through a RemoteEvent that can be fired by the client is dangerous whilst simply checking them is not.

To increase, see that

These “items” you can equip and click, if you equip the Thrid item for example you Will start training mind, of course you get a little, but this is necessary for begginers that dont have Power enought to training on some areas, and even in training areas you need equip the item and start training (not all , only Strength area that you need punch)

So yes i will need increase in that case, i dont know Any another way to do that, only if have any automátic function that fire when player equip a item to use on ServerScriptService, if not i will need use remotevent Client - Server