Why you need to add security on Server scripts as well as local scripts

Bulletin Board
#1

You might think Server scripts are fully trustworthy since they can only be made by you but if someone manages to run a script on your game using a flaw that you haven’t noticed then they can do alot more than you think.
Here is a example:
Server script:

DataStoreKey = "AVerySecurePassword"--notice how there is no local

function Ban(Player)
    --Ban player script
    Player:Kick()
end

local SecureDataStoreKey = "GoodLuckGettingThs"--This has local and thus is secure

local function SecureBan(Player)--You can also have local on functions
    --Ban player script
    Player:Kick()
end

while wait(1) do
    require(script.Lib).Run("This could be inportant info")--Runs the function from the module
end

Module script:

_M = {}

_M.Run = function(InportantInfo)
    --Legit script--
    warn("This is a warn.")
    return "Also inportant info"
end

return _M

A script that a exploiter somehow managed to insert:

wait(1)
local a = require(game.ServerScriptService.LegitScript.Lib).Run--Backs up the old function

require(game.ServerScriptService.LegitScript.Lib).Run = function(...)
    for i,v in pairs({...}) do--Loops for the args
	    warn(i,v)--Steals args
    end

    for i,v in pairs(getfenv(2)) do--Loops for the scripts enviroment
	    warn(i,v)--Steals the enviroment
    end
    
    warn(getfenv(2).DataStoreKey)--Stolen the Datastorekey
    getfenv(2).Ban(game.Players["ForgotenR4"])--Can also run functions from here
    getfenv(2).DataStoreKey = "Pineapple"--Can also change variables
    
    warn(getfenv(2).SecureDataStoreKey)--Will print nil since it isnt a global variable
    getfenv(2).SecureBan(game.Players["ForgotenR4"])--Will error since it isnt in a global variable
    
    local ret = a(...)--Runs the old function with the same args
    warn(ret)--Steals what it returned
    warn()
    return ret--Returns what it returned
end

As you can see by the above example, if somehow someone manages to run a script in the server they can get alot more info than you would expect, If you keep your DataStore key they they can edit all of your DataStores, Leave a function unprotected and they can run that function or replace that function.

Although it would be very hard to find some vulnerability in your scripts that allows a user to run there own server scripts, it doesn’t mean it wont happen and it is always good to try and be safe incase something like that does happen.
Here is a link to the file that i made:
SecurityTesting.rbxl (16.2 KB)

2 Likes
#2

This topic was automatically closed after 1 minute. New replies are no longer allowed.