Hackers Joining big servers | Bypassing mods

Titch2000 · 2019-04-24T11:32:29.637Z

I do not want to seem like anything of a know it all or anything like that or add fuel to the fire but why don’t we take what we know here and expand that into a method for defence?

I have put together a small example here https://github.com/Starystars67/FiveM-Anti-XSS/tree/master If others of you feel this could be a potential implementation or notice a way to make it better (Which im sure there is) then please make a pull request and i will happily merge it.

TheCALRP · 2019-04-24T16:32:02.520Z

I did a simple version so if their name contains http:// or https:// it’ll block them. Not the best but it works. They can still join and do the exploits just not automatically.

spekzi · 2019-04-24T22:39:24.556Z

good job, this is a start…

Hazy · 2019-04-24T23:24:27.047Z

Arthur, The only resource they did exploit was your admin panel. they litterally got on and banned our staff members, just to show us.

spekzi · 2019-04-25T00:34:33.968Z

then they found an exploit on the web application / backend.

TheCALRP · 2019-04-25T03:25:59.769Z

A.) I don’t maintain that panel anymore other members do.
B.) They most likely used chat commands such as that XSS.js with /ban instead.
C.) This is the first I’m hearing of this…

aXoZer · 2019-04-25T06:24:22.481Z

He is cheating my server, and he do with a scripthook bypass

schwim · 2019-04-25T16:43:35.690Z

@Titch2000 , thanks so much for sharing the xss name function, very helpful!

Joe_Beauchamp · 2019-05-03T14:34:13.298Z

typical excuses for fivem it sounds like…
so “they can be executed via the CEF debugging tool.”
explain why your average person gets to use the debugging tool.

Titch2000 · 2019-05-03T15:58:31.513Z

Your “average person gets to use the debugging tool” is anyone who does any development with html interfaces. Tools like these are extreamly valuable for us and make things much easier to do our job as developers. It is a shame that some exploit this but how can FiveM decide who should have access to it?
Ask the FiveM staff? how do you validate your worthy of access? there is no possible way to prevent it as such without causing damage to developers in this case. the very best way to resolve the issue with XSS exploits is for resource developers to setup their resources server side and only do the absolute minimum on the client. For example the es_admin2 exploit we saw earlier in this thread would be for the resource to verify that the person trying to ban a player is actually a verified player trying to do so.

Though i know it can be hard to understand why things are done the way they are when you do not understand it your self (i was once the same way and is part of the reason i learnt to program) try to learn what you can and understand it as best you can and where you dont try to get people to explain it to you. Then if you have a better way propose that.

schwim · 2019-05-03T16:07:28.386Z

I don’t think the issue is the debugging tool, it’s what we’re allowing them to do with it in our resources. If so, then our discussion should revolve completely around safe coding practices with the functions we commonly use, no?

Joe_Beauchamp · 2019-05-03T17:19:20.622Z

Well you could just have a code you put in the cfg. and you can only use the debug if you know that code. that way the people that need it who are developers and server owners can use it no problem. such an open modding system is bound to be unsecure it would be great if there were some systems in place in the base code to help. like an officially supported lua scrambler to get around some of the most basic lua injectors would be a great start.

Titch2000 · 2019-05-07T21:44:47.265Z

what do you mean just put a code in? the debugging tool is client side only. it only affects the server and or other players when they start playing with server side resources which is where it is up to the resource developers to ensure they do not rely on the client but the server.

Dinamicka · 2019-05-10T00:48:13.816Z

whitelist your server and stay safe from stupid “hackers” boys

KingAlmond · 2019-05-10T05:57:14.784Z

If this happened to you legally the responsibility will fall on the bank and paypal failing to adequately secure your account. Just because someone grabs passwords, banks and paypal have safety measures to check if an absurd amount of money is being withdraw and X rates going to Y places. If they are able to bypass all this, all you do is make a claim, they investigate it and get it refunded to you.

If it is a large amount, authorities will get involved and probably figure out you shouldn’t own a PC and or fix the security flaw for you.

And tbh many of these resources are riddled with exploits and then they will offer no support. Imagine working at an actual company, releasing horrible code and not telling people or helping your boss/company fix it. Good luck staying around for more than 1 hour.

The responsibility should come back to the author of the code and his/her failure to program properly and not being object oriented at all. For someone like me or anyone else to go through each resource and figure out every exploit is an unimaginable task. It should still be done but it shouldn’t be our responsibility to fix someone else’s code over and over.

doxylamin · 2019-05-10T22:03:34.539Z

KingAlmond:

If this happened to you legally the responsibility will fall on the bank and paypal failing to adequately secure your account

Even legally it’ll still be under your responsibility to keep your account secure in the first place.
You can contact PayPal afterwards and tell them your situation and get it resolved. But it’s 100% not their responsibility to keep your PC clean from viruses and secure your passwords.

Nullified · 2019-06-01T06:14:09.936Z

It’s a bit late, I know but in the case that they can ban you is the script you use for banning poorly made. @Hazy