Using loadstring in ROBLOX

onlyjakep · August 7, 2022, 9:54am

Hello,
I am working on something that can secure scripts, strings,… ect… the issue is I may have to enable
loadstring. Now I heard this can cause vulnerabilities, and if possible I would like your feedback and recommendations on how to protect the loadstring feature.

Expertcoderz · August 7, 2022, 10:25am

loadstring can only be run on the server so it should be safe as long as you don’t let it execute any code supplied by a client.

But…just why? How would loadstring help you “secure” stuff?

Forummer · August 7, 2022, 3:52pm

The sandboxed loadstring global function can only be enabled for use by server scripts anyway, inherently making it secure.

2jammers · August 7, 2022, 4:02pm

Couldn’t someone with exploits do this?:

local newServerScript = Instance.new("Script")

newServerScript.Parent = game:GetService("ServerScriptService")

Then just change the source and execute it?
Or am I wrong and you cannot add scripts from the client to the server during runtime.

x1_EE · August 7, 2022, 5:29pm

No I dont think you can do this, the script will still act locally I think, plus it may not even run

Expertcoderz · August 7, 2022, 5:44pm

Roblox would be really messed up if you could.

StarJ3M · August 7, 2022, 5:47pm

tomsterBG · June 12, 2023, 6:15pm

Good question. I dare bump this thread because it’s not marked as solved.

It makes sense to think that loadstring may be a vulnerability by how nicely it works with exploits.

Most vulnerabilities come from how much Roblox and scripters trust the client. I’m intentionally ignoring roblox server breaches and failures that we don’t control.
The only fixable vulnerabilities by default are:

Character (mostly speed and fly exploits).
Unanchored parts with ownership set to the exploiter’s client.
Everything else is caused by our scripts.

This means loadstring won’t introduce any vulnerability because you can hardly prevent client modifications and the newly compiled code has a correctly set run time. If it’s server, it’ll have server level access, if it’s client, it will have client level access. I’d assume if you use features of lua that are removed in luau it wouldn’t work unless you use a custom system.

The worst way you can possibly ever introduce a massive vulnerability is to let the clients to request that the server loads a specific file.

theymightbelias · June 13, 2023, 5:49am

Why would you use loadstring if you aren’t an exploiter?

onlyjakep · June 14, 2023, 12:03am

Good question! It’s to load the scripts in with encrypted information.

theymightbelias · June 14, 2023, 3:33am

If an exploiter really wanted your code, even if it is encrypted, they will just decrypt. Loadstrings doesn’t make anything more secure, it just adds extra steps for an exploiter. Nothing on the client is secure, only the server is.

onlyjakep · June 14, 2023, 11:55pm

Nono it was something different, non bypass able.