What are the risks of using LoadstringEnabled?

Even when loadstring() is enabled, it cannot be used from the client, so what are the risks of turning on LoadstringEnabled?

Please don’t simply answer ‘exploits’, because that’s not helping me in any way. I’m trying to find out how loadstring() affects these exploits. So if you know any technical details about this, I’d love to know.

Why I’m (looking into) using loadstring():
I’m trying to fetch server-sided code from a remote server to run on Roblox. From my understanding, this can only be done using loadstring() or a slow Lua interpreter. My code has to run fast, so any slow workarounds are not really an option.

Edit: @Dandystan gave a great explanation. Kudos!

2 Likes

Using loadstring doesn’t necessarily make your game insecure. It’s how you use it that creates the insecurities. If you avoid using the function insecurely (providing malicious users with the ability to execute arbritary server-side code), you’ll be fine.

Here’s an example that would create a huge vulnerability:

game:GetService("ReplicatedStorage").RemoteEvent.OnServerEvent:Connect(function(_, contents)
    loadstring(contents)()
end)

You’re loading and executing the contents argument without any validation of the legitimacy of the event fire. An exploiter could easily fire that remote with malicious code passed to the contents parameter.

31 Likes

There are no risks to having it enabled server-side, FilteringEnabled wasn’t very popular back when the PointsService vulnerability was being exploited, which is what caused loadstring to be disbabled by default.

3 Likes

Loadstring will make your game more vulnerable to exploiters as with reverse engineering on the exploit creators end, they might be able to have access to your server side. When you enable loadstring you even get a warning telling you so, following to a link leading here.

loadstringwarning

This seems incredibly unlikely. While an exploiter can do anything they’d want locally, the server still would need to use some type of unsafe remote to allow an exploiter to execute arbitrary code. (and if an exploit creator is able to access the server side of things I doubt loadstring is going to make much of a difference at that point)

9 Likes

I believe this warning message was added back when admin command scripts were placed in Workspace, and typically had a script that would use loadstring on the value of a StringValue. As long as you keep everything related to loadstring away from being even known by the client (ServerStorage, ServerScriptService) and don’t provide remotes to execute code, you’ll be fine.

3 Likes