Suggestion: onPlayerShootPlayer

Started by EK.IceFlake, May 19, 2016, 03:41 AM

Previous topic - Next topic

Mötley

Doom, you should know as well 99.9 percent of all players look for exploits in servers and the system in general,
I learned as a server owner that it was a very common thing, But then comes the patches you find a bug you patch it, That's how it works.
So hopefully If there is a bug or exploit someone may either secretly present it etc,.

Personally I have no intentions of using client scripts as theirs always exploits in this style system since its technically scripting client side,. There is one that I fear "client side packet hack". Then all servers will be screwed either way.
But if alike LU there is a 99.9% chance of not having these exploits as long as you do not have client scripts.
This is very common in client scripts you are basically opening a gateway for the player base to create hacks if they can configure in code how to manually attach scripts to the memory process of the server/player, Bindkeys are best to keep server side btw. That's a must unfortunately ...
But honestly if someone knew what they where doing they would of injected scripts long!! ago ,.


I really appreciate client scripts and I hope that things go great as you said Storm,,. I hope you can contenue to keep this a clean system

vito

Haha really? No client side features because server's coders may don't use validation and players may use it insted useful hacks they alredy have? xD

KAKAN

Quote from: Doom_Kill3R on May 20, 2016, 02:15 AMSo basically the logic here is that cuz of a few retards, we will have to suffer and not get the complete benefits of 'client-side' scripting cuz they will screw things up? K.
Let's go play MTA:SA :P
oh no

Mötley

Sure,.. Somethings that I know are best not said anymore so I wont speak on it no more...

EK.IceFlake

Quote from: . on May 19, 2016, 07:47 PM
Quote from: Mötley on May 19, 2016, 07:27 PMI don't think anyone here but 2 people know how to do that.

The only guys I can think of are @ext-d.CrystalBlue and @Finch Real . They're the only PROs I know who could achieve such task.

Said no one ever.
:( im pr0 than finch

NewK

#20
Quote from: Mötley on May 20, 2016, 03:01 AMPersonally I have no intentions of using client scripts as theirs always exploits in this style system since its technically scripting client side,. There is one that I fear "client side packet hack". Then all servers will be screwed either way.
No they won't. A competent scripter knows well enough how to use client side scripts safely, if you don't, go read up on server side validation, don't just make assumptions like that because while you may have good intentions, you're a spreading wrong information which is definitely something we don't need on the forum. And it's not "technically" scripting client side, it IS scripting client side. Do you know what else is client side? Javascript. That is client side scripting aswell and if that didn't exist you wouldn't be able to use all the features you use today on most websites. Can you imagine if everyone acted like that when javascript was first released? If you made a website, would you also not use javascript because it's client-side? Do you even realize how ridiculous  that sounds? If you don't know any methods or good practices to use when communicating with the client that's one thing, but don't go off saying there's exploits in this "system".

For example, imagine that a scripter starts using a MySQL database and forgets to set a password and has it publicly accessible on the internet. Will you now say this is a MySQL exploit? No, it's the scripter's responsability. Imagine you create a class to represent the structure of a player account with various properties and in the constructor of the class you pass the players' level which is associated to server permissions and imagine you make a mistake in the script, and you always pass the admin level to that constructor. Will you now say classes have exploits too? No, once again:  it's the scripter's responsability


Quote from: Mötley on May 20, 2016, 03:01 AMThis is very common in client scripts you are basically opening a gateway for the player base to create hacks if they can configure in code how to manually attach scripts to the memory process of the server/player, Bindkeys are best to keep server side btw. That's a must unfortunately ...
You open up a way to communicate with the client, it's the SCRIPTER'S RESPONSIBILITY to make sure all the communication in between (server->client, client->server) is made safely. VCMP devs can only provide the events they believe to be safe to use client-side, from that point forwards, any exploits that happen are the fault of incompetent scripters for failing to implement these events safely. There's alot of advantages to having client side events and one of those is to offload some of the more resource heavy, server side events to the client, Bindkeys are an example, when using it on the server, the server has to be constantly listening for keypresses for all players which might be a bit heavy. I don't know why on earth you would think it's better to have those server-sided.

Bottom line is:  Client side events are not a magic solution to everything, and they're not a replacement for server side events, learn when to use client side events and when to use server side events. Don't just use the wrong thing for the wrong job and then say "it has exploits". Learn to validate the important stuff on the server and don't use client side events for critical things that you cannot validate.

Mötley

No one will never know the after math of client side hacking. Sure add bind keys client side btw they are the easiest to exploit.

You guys get client scripting and think your REAL pro's, okay that's fine give it time..
If storm is not careful in his choices in client scripting it will be the end of vc:mp as what happened in LU,
It does not take long to create forced hacks in client scripts,
Even methods of scripting that you would not think is even possible in client scripting. :D

 :D :D :D

You guys make me smile, SURE do it

NewK

#22
Quote from: Mötley on May 20, 2016, 01:27 PMNo one will never know the after math of client side hacking. Sure add bind keys client side btw they are the easiest to exploit.

You guys get client scripting and think your REAL pro's, okay that's fine give it time..
If storm is not careful in his choices in client scripting it will be the end of vc:mp as what happened in LU,
It does not take long to create forced hacks in client scripts,
Even methods of scripting that you would not think is even possible in client scripting. :D

 :D :D :D

You guys make me smile, SURE do it
So you think that because you can see or change keybinds that this is an exploit? Rofl that's hilarious.
If the keybinds are stored on the client that was obviously because it was not considered something important enough to store on the server. What do I care if players can see or  change their keybinds or not.  Basic common sense in this situation is: if you can fetch client side keybinds from memory or even some other script variables, that means the server scripter has considered that there is no problem with players seeing that information because it's not important. Any competent scripter knows not to store critical information client side. If I make a server and you join the server and then go look into memory, you'll be able to find stuff there, but you'll only be able to see what I want to you to see and nothing more. For example, a player's keybinds for opening a GUI_WINDOW are not critical information so I store those keybinds on the client because I dont mind that the player can see that.


You obviously do not understand what client side means. Client side means the files are stored on each player's PC, doesn't matter if it's stored on the disk or memory, of course you can always access those files and change the contents, so stop trying to look like a genius just because you can see/change the content of client side scripts, everyone can do that.

Just because you edit the contents of the client side scripts that doesn't mean that there's exploits. Even though, you can see and change the content of a the client side script, if the server scripter has validated your input server-side, then the server is always safe anyways, this is a concept you don't seem to understand. I never said client side scripts couldn't be seen or changed, of course they can be seen/changed, they're on your own PC! But in the end, the user still has to communicate with the server and that's when you can validate what he sends. It doesn't matter if he changed the entire client side script as long as you make sure you to validate his input on the server.

Let me try to explain this to you in a way that you can understand. Imagine you go to a website like youtube.com for example. What you see on the page is just HTML and CSS and both of these are CLIENT SIDE, that means you can see it and change it. You can change how the whole page looks by editing its HTML and CSS, and you can even change its behaviour by changing its javascript. Javascript, HTML and CSS are all client side, which means that i runs on the browser, and it runs your PC. These files are stored on your PC so you can  see them or change them how you wish, just like vcmp's client side scripts. You can see them and change them, but if the server scripter has done a good job validating the input server-side, those changes will only be shown on your PC and not the server, so they won't affect anyone but you. This has been how websites have worked since pretty much the begining, it's been like this for decades, and you don't see anyone out there, going around saying "OMG THIS HAS EXPLOITS PLZ FIX" just because they can change the content of CLIENT-SIDE stuff....

It's the same thing with these VCMP scripts, the difference here is that there's no HTML or CSS, there's just squirrel scripts, it's a standard client-server model that is used by countless other games and applications for your PC or your cellphone. You say there's exploits because you can see and edit the client side scripts, that's ridiculous, because you can do that in pretty much every game or application that functions the same way. The client-server model was created by minds far smarter than you, and it has been in use for decades, and now you come along and say there's exploits, do you even realize how that sounds? You clearly do not fully understand how this model is supposed to work.

Also there's no need for you to send me PM's showing me how to edit client side scripts. That's the equivalent of me going to a website and pressing F12 on the browser and then sending you a screenshot showing you the page's HTML lol. Guess what, HTML is client side too and I can edit it too, woah! that must mean there's exploits in HTML too right? I must be a super 1337 hacker to be able to edit the contents!  /sarcasm

If the client side scripts are implemented correctly in VCMP, there wont be any issues as long as the server scripters are competent.

Make sure you get this into your head once and for all: Anything that is client sided can be accessed and changed by the players. That is how it works universally, not just vcmp.  This doesn't mean there's exploits, because you can validate the data that is sent to the server  and see if it's correct of if it was changed.

Mötley

The issue with something so simple as say Client bind keys are due to the fact they are a gateway, A way to inject personal client scripts into the memory.

*So this will be my final statement,..
This has me displeased, That you do not even believe me, I will say that one day it might happen, someone with no life will take the time to hook scripts to the memory and execute personal client side scripts.
I happen to know what I am talking about, You as well in other applications.
 
But this is different. So I prefer to say no more or show real proof of the dangers of client side scripting. For future reference please compile client side scripts it makes data harder to retrieve and modify to be capable of injecting/executing client side script data retrieves corrupted ,.

I am no hacker. I just got lucky with that gift, I was capable of patching exploits in my LU server with it and was pleased with the learning experience of patching these issues in my personal server. So I attempted to share the learning experience and no one wants to listen that is fine.

~Mötley
 

Thijn

We all believe you that one day people can execute their own client side scripts. But what @NewK is trying to say is that it doesn't matter if the client can't touch critial server side stuff.
The problem with LU was that critical server side stuff was easily accessible from client side scripts. And then when people could execute their own client side scripts all hell broke loose.

EK.IceFlake

My friends, let me tell you an important point.
No matter how complex you have designed hackproof systems, you only keep making it more and more difficult to hack. You never make it impossible. Just like with 1 + 1/2 + 1/4 + 1/8 + 1/16 + 1/32... it will keep getting closer and closer to 2 but will never actually reach it.
Deal with it.

DizzasTeR

Hack MTA:SA client scripts for me and then I'll consider you the real man. As @NewK said, the developers need to provide the loading of compiled client-side scripts and its all on responsibility of the scripter to protect himself from getting screwed over.

NewK

#27
Quote from: Mötley on May 20, 2016, 04:39 PMThe issue with something so simple as say Client bind keys are due to the fact they are a gateway, A way to inject personal client scripts into the memory.

*So this will be my final statement,..
This has me displeased, That you do not even believe me, I will say that one day it might happen, someone with no life will take the time to hook scripts to the memory and execute personal client side scripts.
I happen to know what I am talking about, You as well in other applications.
 
But this is different. So I prefer to say no more or show real proof of the dangers of client side scripting. For future reference please compile client side scripts it makes data harder to retrieve and modify to be capable of injecting/executing client side script data retrieves corrupted ,.

I am no hacker. I just got lucky with that gift, I was capable of patching exploits in my LU server with it and was pleased with the learning experience of patching these issues in my personal server. So I attempted to share the learning experience and no one wants to listen that is fine.

~Mötley
 
Motley, there is nothing wrong with injecting personal client side scripts into memory since these client side scripts only run on your machine, they ONLY run on your own PC, not the server! When you're looking in memory for information, you're looking at your own computer's memory, not the servers'. Any changes you make to these scripts, or even if you inject new scripts, these will only run in your OWN computer. And nowhere else. Please understand that.

Imagine that you inject a client side script into memory (your PC's memory) to make a request to the server to get some data.  When the request is made, you can check what that request contains on the server and you can validate that and see if it's right or wrong, and  you can then reject that request if you want to.

An example of injected client side scripts would be browser extensions. There's some browser extensions (for example AdBlockPlus) made specifically to alter the behaviour of some websites and they inject javascript into your page to do this, but these injected scripts  only run on your local machine, so only you see these changes, they don't make any change to what's on server side so it doesn't affect anyone else. I'm only using these examples so I can try to make you understand better, but don't you think that it's much too different with VCMP's client side scripts. Players may eventually find a way to inject their client side scripts but there's really no problem with this  because whatever they inject is only run by their own computer. It wont have any effect on the server if the server scripter validates each client side request.



Quote from: Thijn on May 20, 2016, 04:56 PMWe all believe you that one day people can execute their own client side scripts. But what @NewK is trying to say is that it doesn't matter if the client can't touch critial server side stuff.
The problem with LU was that critical server side stuff was easily accessible from client side scripts. And then when people could execute their own client side scripts all hell broke loose.
Yes! Thank you! I feel like I'm running out of ways to explain to same thing over and over lol. Motley I think you might be a bit confused because of what happened with LU. @Thijn knows exactly what I mean.

Quote from: Doom_Kill3R on May 20, 2016, 05:36 PMAs @NewK said, the developers need to provide the loading of compiled client-side scripts and its all on responsibility of the scripter to protect himself from getting screwed over.
But I didn't really say that though ._.
I mean, the compiled scripts part, while it would be nice to have this extra security  measure, a person determined enough can still decompile it so it's still not a foolproof way of protecting critical information, and there never will be such a thing with client scripts, that's just how it works on pretty much any other game or application that functions in the same way, this is not a specific issue that only happens in vcmp. There's no way to completely get around that, and the sooner people realize this, the better.

DizzasTeR

Quote from: NewK on May 20, 2016, 05:40 PM
Quote from: Mötley on May 20, 2016, 04:39 PMThe issue with something so simple as say Client bind keys are due to the fact they are a gateway, A way to inject personal client scripts into the memory.

*So this will be my final statement,..
This has me displeased, That you do not even believe me, I will say that one day it might happen, someone with no life will take the time to hook scripts to the memory and execute personal client side scripts.
I happen to know what I am talking about, You as well in other applications.
 
But this is different. So I prefer to say no more or show real proof of the dangers of client side scripting. For future reference please compile client side scripts it makes data harder to retrieve and modify to be capable of injecting/executing client side script data retrieves corrupted ,.

I am no hacker. I just got lucky with that gift, I was capable of patching exploits in my LU server with it and was pleased with the learning experience of patching these issues in my personal server. So I attempted to share the learning experience and no one wants to listen that is fine.

~Mötley
 
Motley, there is nothing wrong with injecting personal client side scripts into memory since these client side scripts only run on your machine, they ONLY run on your own PC, not the server! When you're looking in memory for information, you're looking at your own computer's memory, not the servers'. Any changes you make to these scripts, or even if you inject new scripts, these will only run in your OWN computer. And nowhere else. Please understand that.

Imagine that you inject a client side script into memory (your PC's memory) to make a request to the server to get some data.  When the request is made, you can check what that request contains on the server and you can validate that and see if it's right or wrong, and  you can then reject that request if you want to.

An example of injected client side scripts would be browser extensions. There's some browser extensions (for example AdBlockPlus) made specifically to alter the behaviour of some websites and they inject javascript into your page to do this, but these injected scripts  only run on your local machine, so only you see these changes, they don't make any change to what's on server side so it doesn't affect anyone else. I'm only using these examples so I can try to make you understand better, but don't you think that it's much too different with VCMP's client side scripts. Players may eventually find a way to inject their client side scripts but there's really no problem with this  because whatever they inject is only run by their own computer. It wont have any effect on the server if the server scripter validates each client side request.



Quote from: Thijn on May 20, 2016, 04:56 PMWe all believe you that one day people can execute their own client side scripts. But what @NewK is trying to say is that it doesn't matter if the client can't touch critial server side stuff.
The problem with LU was that critical server side stuff was easily accessible from client side scripts. And then when people could execute their own client side scripts all hell broke loose.
Yes! Thank you! I feel like I'm running out of ways to explain to same thing over and over lol. Motley I think you might be a bit confused because of what happened with LU. @Thijn knows exactly what I mean.

Quote from: Doom_Kill3R on May 20, 2016, 05:36 PMAs @NewK said, the developers need to provide the loading of compiled client-side scripts and its all on responsibility of the scripter to protect himself from getting screwed over.
But I didn't really say that though ._.
I mean, the compiled scripts part, while it would be nice to have this extra security  measure, a person determined enough can still decompile it so it's still not a foolproof way of protecting critical information, and there never will be such a thing with client scripts, that's just how it works on pretty much any other game or application that functions in the same way, this is not a specific issue that only happens in vcmp. There's no way to completely get around that, and the sooner people realize this, the better.

Trying to decompile is another head-break, that's a different situation but having scripts compiled is one of the simplest ways to keep your code safe and in editable by normal users, even if someone gets it through memory it will be compiled and I don't think someone will sit back to decompile a VCMP server source.

All in all its necessary to have what's important but we also know we can't safeguard it 100℅, but stepping back from what can be done isn't a good idea.

KAKAN

Quote from: Doom_Kill3R on May 20, 2016, 07:03 PMTrying to decompile is another head-break, that's a different situation but having scripts compiled is one of the simplest ways to keep your code safe and in editable by normal users, even if someone gets it through memory it will be compiled and I don't think someone will sit back to decompile a VCMP server source.

All in all its necessary to have what's important but we also know we can't safeguard it 100℅, but stepping back from what can be done isn't a good idea.
Squirrel doesn't compile into machine code, so a simple program can help us decompile, but as Squirrel is not that famous, no one has made a decompiler yet :P
Another thing is, client side scripts won't affect your server unless you make it to.
We can just take some security steps to make sure that no one can inject shits to the server, like, I said the nodejs thingy that we can send streams to server, but ofc, we won't get the player instance, so, a simple if statement would help us protect from that thing. It's all about developer's responsibility, just as @NewK said
Another example is Firebug, by which we can edit the JS, but, we need to think that we're modifying it and it will affect our client, not the server, if the server has good security systems, then it can pretty easily block us.
oh no