Roblox does stop them, but there is always a workaround. Its been this way for years.
You can’t prevent it entirely only temporarily. They’ve gone far enough to simulate the Roblox environment to get the API working.
No and sort of. You can use server and client preventative measures to detect if some behavior you don’t want is occurring or some unknown object enters the environment.
You know, an idea would be to have an internal function that checks to see if a script existed initially or not. You can’t script at runtime anyway. So if there’s a new script (asset id doesn’t exist) just remove it.
I’m sure there are a variety of injections, but this would solve this one.
Each asset must have a unique id I’m sure…?
I only gave him a base of what he could do. He could go for the remote and make an OnServerEvent function that checks if the message is over a certain length. I understand kicking is bad, but it’s one of the only options that he could do aside from deleting the message (which from what i understand might require some scripting).
Developers cannot stop exploiters from injecting scripts into their machine. It’s beyond what we can do. If you insert a script with a nil parent, there’s no way to detect this with ChildAdded or any API event. Exploiters can also insert scripts/objects into RobloxLocked containers that developers can no longer detect. The most we can do is try to stop what these scripts are trying to execute.
It’s a very old security flaw that engineers at roblox are trying to patch and until now, there seems to be ways around their patches.
If that’s the case then what is the point of making games? If I kick someone or I have a script that kicks someone, it’s so they have a bad user experience. Even if I just wait for a patch, it will get fixed, i’d rather tarnish my games experience as it’s for a once a week thing for a very certain experience then wait for a patch.
Keep in mind it is not normally possible to ‘Inject’ scripts into a ROBLOX Server instance and have it execute server-side. Furthermore, :FireServer() is not available on the server.
If you found this in a toolbox model,There’s usually more ,Just search up “Script” in your Workspace or whatever,And it’ll show all the scripts in the game, Usually named "inject " ,“anti-lag”,“anti-exploit”,etc. just right click and delete it.
I am aware of this. I was asking because if this script was on the server, he could have a malicious plugin that injected the script in studio.
If the script was on the server, then I don’t think it would be possible to “sends a lag storm”. This is because the script would not be able to run and an error would be displayed, as FireServer() is a client only method.
This seems like an issue on Roblox’s part. It’s spamming a default remote event made by Roblox’s builtin chat system which gets spammed to have a user repeatedly say a phrase. I recommend you learn how to make custom modules with Roblox’s chat system and make a custom module to prevent spam or find one. From what I know Roblox does already prevent spam though?
Why can’t we just have nil parents no longer be a thing?
I mean, if it doesn’t have a parent, wouldn’t it not exist?
that is not possible unless you use a custom chat system that does not use remoteevents.
the client chatbox sends a request to the server asking it to post that message using that remoteevent.
and then this is considered a problem in the backend.
Yes, but a remote event is required to send from client to server or visa versa.
Would be like trying to call someone without a phone.
The highest hierarchy must have no parent so I guess the entire environment doesn’t exist 
Anyways nil has various use cases and is the same mechanism is actually used for :Destroy() except it breaks event connections. It still exists if there is a reference to it in a script.
Well i’m sorry to say, this is possible and it happens with the typical chat system. On-top of that, it uses the /e command to bypass the typical roblox chat text limit. At least so I assume.
The problem is the methods for doing so are few and far between. They get patched by exploit developers quickly and are easily bypassed by most exploiters. Your best bet is to rate limit chat messages from the server (or even better, queue a few requests to prevent slowdown while still allowing content).
Example:
local keeper = setmetatable({}, {
__mode = "k" -- This will allow players to be garbage collected when they leave preventing memory leaks
})
local queue = {}
local timeout = 0.1 -- Seconds between requests
local handleRemote
handleRemote = function(player, ...) -- Function to handle remote requests
queue[player] = queue[player] or {}
keeper[player] = (keeper[player] or 0) + 1 -- Increment keeper for player
if keeper[player] >= 5 then -- >= 5 requests in 0.5 seconds
table.insert(queue[player], setmetatable({...}, {__mode = "v"}) -- Add arguments to queue to recall this function
else
-- Your remote code
end
delay(timeout, function()
keeper[player] = keeper[player] - 1
if #queue[player] > 0 then -- Process a queue item
while #queue[player] > 8 do -- Remove extra queue items above 8 queued items (completely ignore them to prevent insane remote latency due to too many queued requests)
table.remove(queue[player], #queue[player])
end
local args = table.remove(queue[player], 1) -- Take the first item from the queue
handleRemote(player, unpack(args)) -- Call the handleRemote function again (it'll be requeued if others are queued)
-- Because this function gets called again the next queue item will be used after timeout
end
end)
end
remote.OnServerEvent:Connect(handleRemote)
This is an open discussion for everyone, including malicious users. Having direct access to the source is a privilege that should be entrusted to whom OP believes is trustworthy.
For cases like this I personally would only trust a verified white hat/black hat,a user with credible knowledge on exploitation I.e @Autterfly
The script you provided does not crash servers. It properly says “Your message exceeds the maximum length”.
Do you have another repro available?
EDIT: Also don’t even bother trying to detect exploiters client-sided, they just run the code directly in roblox’s VM. There’s nothing you can do.
If that’s the case then there’s no point of making games. I believe your statement is false.
Is there a point to making anything then?
When all these companies constantly have security breaches (even the forum software you’re using right now) nothing is fully secure, but ROBLOX gives you the tools to create a proper client-server model.