I’ve been using RemoteFunctions & Events for a while now.I was unaware that there are a lot of Exploits and I thought usage of them prevented them from happening.I have a case where I change the data of a player by using the Client to call the Server to do so.I’ve been thinking of a solution but haven’t found one yet.Should I remove this from the Client or is there a way to have the Server make sure it’s right?
Always make sure your server has a check. Even if you check on the client people may bypass this.
Assuming you figure out a method to check if a client is doing something, you could use that as a check. For example, if a client has to click a button to earn money, and its a physical button, maybe on the server use a check to ensure the player is actually within range to push the button. That’s a good check in my opinion for starters.
I like to lock my remote events with random strings. It’s not the most secure, but honestly it makes it that much harder for exploiters to use them, so why not!
Well, there are three main solutions to this problem:
-
Use Server-Side checks to ensure that it is very hard to exploit. Adding on to @Conmmander’s reply earlier, you could indeed check if the player’s location is where they should be. You can also calculate things like debounce on server side, if the button can only be clicked once a second but the remote is being fired 10x a second – you have an exploiter. Note: Network lag may affect the timing of remotes, so be careful if you use this to server-side check remotes.
-
Keep important scripts server-side
If we use the button example: Have a server side check when the button is clicked and give money.
Here is a bit of an extended example:
Lets say you have a shop UI.
Scenario #1:
In a localscript, when the play presses the buy button it:
Calculates the new amount of money the player should have, and then the item they need now. Then the script fires a remote to the server to update the stats and give the player the item.
Scenario #2:
In a localscript, when the play presses the buy button it:
Fires a remote to the server to request the purchase. Then the server calculates the new amount of money the player has and gives the item.
Now, in scenario #1, I could send a remote with the following script ran in Synapse.
game.ReplicatedStorage.ShopRemoteEvent:FireServer(10000000,"Legendary Sword")
Now, it will write my money to be at 10000000 and give me a legendary sword.
I couldn’t do the same in Scenario #2 because I can’t control the stats, could request a purchase using an exploit – but that would be the same exact thing as pressing the button and there is no real advantage gained.
- Use an encryption method. I am not personally familiar with this field, but theoretically you could develop an encryption method but this method would be fairly complicated, due to the fact that an exploiter could theoretically read all your localscripts, so whatever encryption method you would use, you would have to make it heavily server-sided to make sure that an exploiter couldn’t just copy and paste the encryption algorithm into their own exploit software.
Note: Not sure if you already know this, but this is how some exploits work. I believe most work like this but I do not know. Anyways, some exploits can inject lua into your game and run it. When they run scripts, it is ran as a local script, so when you are trying to prevent exploiting, just imagine that an exploiter can put a new localscript anywhere in your game, and execute whatever code he wants in that localscript.
Hope this helps!
Btw, exploiters can read whatever you send in a remote. Example:
If you are sending a remote with the info [999, ‘gFv9u69E’] all the time, I can read that. Then, I can just send [999999999,‘gFv9u69E’] using a Lua injector.
Back to square one.
I recommend you search before you post since there are alot of posts about this specific question: