Question About Loadstring

I’ve seen some people loadstring is not good to enable, and I’ve seen other people say it’s fine to enable as long as there are no backdoors in your game.

I need a straight answer WITH PROOF.

Is it fine to enable ServerScriptService.LoadStringEnabled?

Will it make my game vulnerable to exploits?

I currently have a use-case for loadstring, but I need a straight answer before I do anything with it.

This prompt appeared when I attempted to enable it in Studio.
image

I don’t know if the prompt message is misleading or not, so can someone give me a straight answer with proof on whether loadstring is fine to enable or not?

And if loadstring is unsafe to use, are there any alternatives that would have the same functionality as loadstring?

It’s not dangerous unless you allow clients to give the server code to run via remotes.

Unless you’re using remotes there’s no dangers to it
If you are using remotes, make sure to check who’s firing the event on the server.

Do you mind giving an explanation on how loadstring works and how exploiters can use it to minipulate the server if the remotes are insecure?

I thought that I have to put sanity checks on my RemoteEvents regardless of whether loadstring is enabled or not.

Loadstring takes a string and compiles it to be run as code via the function it returns.

-- some sample code
local compiledChunk, errorMessage = loadstring("print('This is some code!')")

if compiledChunk then
	compiledChunk()
else
	-- this will most likely happen because of a syntax error
	warn(errorMessage)
end

Now how exploiters can abuse it is simple. General thing to do is to always sanity check your RemoteEvents but say you didn’t for the loadstring.

-- exploiter's client script
loadStringRemote:FireServer("warn('Pretend this is some code that does some very bad things!')")
-- Server Script
loadStringRemote.OnServerEvent:Connect(function(player, sourceCode)
	loadstring(sourceCode)() --> "Pretend this is some code that does some very bad things!"
end)

I’m not sure what your use case for loadstring is, but I’m going to assume it’s just to send code over to the server to handle from a gui since that’s what it most commonly is, especially with backdoors. So I would make it do this for a sanity check.

-- Server Script
loadStringRemote.OnServerEvent:Connect(function(player, sourceCode)
	if player.UserId == game.CreatorId then
		loadstring(sourceCode)() --> "Pretend this is some code that does some very bad things!"
	else
		player:Kick()
	end
end)

Alright. Thanks!

Is there an alternative that works the same way as loadstring that I can use instead of it to not have to worry about exploiters abusing it?

There’s ModuleScripts that replicate the behavior but honestly I would just use regular loadstring with sanity checks if you absolutely need loadstring for your game.

A custom loadstring module is something that serversides use, after investigating them for a while.

Exploiters can locally bypass loadstring() on the client. On the server, it requires a serverside, and serversides usually do it with a custom loadstring module.

I do not in anyway recommend enabling LoadStringEnabled for your game. For what purpose are you going to use it for?

AS WELL Adonis Admin uses loadstring / used to use it. MODULE SENT IN DC

I have an admin command system, and currently I’m in the process of making an “:execute” command that executes a piece of code. The easiest way to do this is to use loadstring, but I created this topic to ask if it’s safe to use.

Then it will be a perfect feature the module, as Adonis uses this and you can check their source code as they’re open source

How do I use the module exactly for my use-case?

Take a look at Adonis, as I haven’t used this module in a while. Run the function with the string and env, in your case the code would be the string / the parsed message for the command after the :execute, env not so sure about as I haven’t taken a deeper look in Adonis / the script environment.

local loadstring = require(ModuleScript)
Keep in mind that the regular loadstring and a module loadstring are both as equally insecure when it comes to the client requesting the server to load it.

Also @MasterTiitus, that module has a backdoor in it within Loadstring.LuaY.
Screenshot (11835)

2 Likes

Thank you for noticing, I have informed the topic creator to remove this, and will remove the link.
Did not have full time to check this, however it is a real module so guessing a plugin infection.

The module is just more convinient if the creator plans to go public and overall use.
Noticed I sent the wrong link, should’ve checked it, as well as the backdoor module tells the reason for it, used for his own module but technically a backdoor. EinsteinK is a trusted creator as well determined from the profile.