What can exploiters do exactly?

Every day I think about the ways that some sneak could get in and mess up the whole game but I never really understand how and where. So I have a few main questions like something that exploiters can really do and should I take the most serious precautions.

  1. Can exploiters change a local script or add a new local script? Big problem I keep thinking about is them being able to modify their own scripts or change something. For example, if they disable a script, then they might be able to bypass a checker. Being able to see the script is annoying but if they cant change anything then Ill be pretty relieved. I think this is the biggest question I have in whether they can change something such as a remote event sending info to the client and manipulate that sent data

  2. Can exploiters change String,Int,Number, and boolean values on the local side such as in the workspace and replicated storage. Even though this does not replicate to the server, it is still a big problem since I rely on many of these values to determine health, speed, and etc.

  3. Can exploiters read the output? Can they see the things that are sent to the output such as errors, prints, and etc?

  4. Can exploiters create new objects? Can they create parts or their own String, int values in the workspace or anywhere in the client?

Now that I have my main questions asked, I would like some feedback on whether my current game system could be secure or not.

Currently I am undecided in whether or not to focus everything on the server. For example, if I send a boss enemy to a player with 50 health from the server to the client, and then do everything in the client such as determining if the boss is defeated or how much health it has based on the players actions, can this be altered?

If it can, then I would need to do a lot of things on the server and I suppose it isn’t hard just very long. But I would rather be safe than have a broken game.

2 Likes

As for local scripts yes, they can execute their own code, they can decompile local scripts and modules accessible to them, so server scripts can’t be decompiled at all.

They can send their own data over through remotes as well, but it is your responsibility to make sure the data passed over is valid and the remote is fired at the right time and such.

That is your problem for trusting the client, but yes they can. You should enforce health and speed and such on the server.

Yes they can just type /console in the chat or press f9 to view it.

Yes

It can and will be altered, again enforce on server

6 Likes

Anything that is available for client, they can read scripts, and fire events

When asking what exploiters can do, assume that ANYTHING client side CAN and WILL be exploited. This includes local scripts, anything in the workspace, modules being run locally, local scripts, etc. The best way to prevent exploiting is to have server-side checks for things you may believe be exploited.

Shortly put, exploiters can do ANYTHING they want to the client. They have complete control over all of the things you mentioned.

There is no harm in creating client-sided checks, but never rely on them to stop the baddies, as a exploiter can just remove them without detection on the server.

They can :Fire remote events and functions as well, so in no circumstances allow important data to be changed through a RemoteEvent.

The best way to keep the anti exploit mindset, is to think of the client as completely modifyable, and as a way to communicate information to the player. It should never be used to handle important things that will effect others. The player can change what that they see easily, since it is their client, but they should never be given access to change anything permanently.

As a general rule, do not trust the client. Always perform server checks, and you should be fine.

1 Like

I just wanted to check but If I use the workspace to store values but access the values on the server, then even if its value is changed it will not affect the server right?

Client change won’t replicate to the server, so if you do it on the server you are fine

also is there any way to protect client side info and scripts? I have heard of some but I doubted they would work but is there any method to try and protect client info?

What info? What do you mean by protect? Exploiters will always be able to do whatever they want

Such as what is inside a script or somehow use the server to try and detect changes

I don’t believe exploits edit existing local scripts nor do i think detecting such change is possible. Don’t worry too much about client just worry about server which you can protect. Handle vital game logic on the server

1 Like