What's the best way to intercept/prevent exploited data being sent from Client to Server?

Eddxys · September 2, 2021, 10:19am

Hello,

What do you think is the best way to intercept or prevent exploited data being sent to the Server, besides sanity checks.

[1] Let’s say the Client has a cooldown before it can punch again, the exploiter modifies and sends the false data to the Server, how would you approach checking if the data is actually really correct?

[2] What if you have a Damage remote, and if Player1 shoots and hits Player2 it will fire the damage remote with the respective hit part, can’t the exploiter use the remote while firing a weapon to send data that he damaged multiple ones?

[3] Let’s say you have an invite system, (Client > Server > Client), what if the exploiter makes a for loop that will send invites to everyone in the server?

[3] Would having a remote that changes someone’s Money value a vulnerability?
Would a sanity check even be helpful for this?

-- Wouldn't an exploiter just be able to fire it and tell the Server his value needs to be changed?
MoneyRemote:FireServer(game.Players["ExploiterName"], "Change_Money_Value", 350)

Client based anti-exploits are unreliable and only are good for skids that don’t know how to properly deal with it, exploiters can use getrawmetatable to override metatable functions or/and override __namecall and __index to prevent getting kicked too.

What is your best approach on securing the server and vulnerabilities, would mind sharing some advices on good practices?

ItzMeZeus_IGotHacked · September 2, 2021, 10:27am

I would check their debounce on the server. I create a dictionary that contains the player instance as the key and the value as a Boolean indicating the debounce. Then if I want to modify the Boolean I would use a coroutine to handle it.

I don’t understand what you’re asking.

How so? The developer could just check if the target is just a single player instance on the server side.

Why would we use a remote to change someone’s money if we can just do it on a server script?

This rarely happens unless your game mechanics function like that.

HexToast · September 2, 2021, 10:29am

You don’t normally send data from the client which is directly used by the server

MoneyRemote:FireServer(game.Players["ExploiterName"], "Change_Money_Value", 350)

this line would become

-- Ran in LocalScript, server checks if it's possible
MoneyRequestRemote:FireServer()

Generally don’t ever trust the client unless it’s client-only stuff that doesn’t save (like data representation in UI, actual data would be on the server though)