I’ve been spending some time looking at bug abuses from multiple cities. Most bugs I’ve encountered are that server owners trust the input from users. This can lead to multiple bug abuses like duping items. Something more malicious like sql injection, arbitrary read file or privilege escalation due server owners intent to run their database as root. The easiest way to find bugs is just to open nui_DevTools and look for RegisterNUICallback and start to tinker and look at how the server responds. You can find multiple bugs in frameworks like Qbus and ESX third party plugins this way.
Preferably I’d like to see that these bugs are solved server side but I can also imagine that you think that players don’t need access to the nui_devtools.
So is there a solution? Well yes, I’ve been talking to Beau from lotus (don’t know his username on this forum) and basically nui_devtools is a chromium console. To detect if a chromium console is being opened or is open, it’s nothing more than the following code. thx Beau
var element = new Image;
element.__defineGetter__("id", function() {
// development tool open
});
console.log(element);
So as an example you can do
var element = new Image;
element.__defineGetter__("id", function() {
fetch("http://ls-core/devtoolOpening", {
method: "post"
})
});
console.log(element);
What this does is that you’re creating an element and look if the element is created. If the element is found gracefully kick the player from your server.
I would suggest adding this to your core scripts. If they disable the core they would not be able to play the game.
One other thing I like to mention is that in one of my investigations I’ve noticed that people are getting infected by the Azorult malware. Which affects a lot of players from huge servers we know and love and small ones. Can’t put my finger on where the infection comes from but I would like to point out that do not just trust code from the internet and implement it into your server.
So I’ve thought about that. But unless I’m doing it wrong, I’ve put a breakpoint on all xhr and fetch but it still gets executed and gracefully get booted out of the game. It does see the xhr and executes even when I break pointed on all of it. With that happening a logfile is created and send to the staff.
Hm I guess fetch breakpoints work different. Point stays don’t use this as solution for your vulnerabilities the person with the devtools will always have full control over what executes so can always block it, note devtools also has a request blocker which can block all request.
Oh no, this is not a all fix solution. I guess my wording, as I’m not a native English speaker, “solution” might be wrong. This is however a extra check in detecting who is trying to open the nui_devtools and kick them gracefully. If people know that they’re being logged they might think twice as cheaters don’t like to be detected. Like I said before is that I prefer that server owners check and clean their code. Make it less attractive for cheaters to even try. But to block the request you first need to know which URL to block if I’m right.
if anyone is interested, here is a list with the found bugs mostly for the Qbus framework. All new bugs will be posted on the list.
My goal is to help out and share my knowledge to get a more secure framework. Educate over the possibilities if you do not sanitize user input
This shouldn’t even be an extra check as people will stop giving single fuck about protecting their nui callbacks when they can just use 5 lines to “protect” all their callbacks instead of checking shit server side. Do you fucking block devtools on websites so people can’t remove disabled from your button?? No you don’t. I don’t understand why people making rp servers want to block every single tool which could be used to “cheat” on their server instead of patching the bug themselves in the first place.
We all know that most cities use the stolen Qbus framework and call it their own framework. However, the framework is not perfect. There are tons of bugs that need to be solved in which I started this project and shared the bugs to help community. I’ve found these bugs with a development server that has been setup for me to play around with. I’ve to say that I also went a bit further to understand the mindset of these cheaters/city owners and started to recognize names in these stolen scripts discord server channels or whatever it’s called. These scripts also come with tons of bugs and I keep seeing them everywhere. So talking about “stealing other people’s work” is just mind baffling to me. It shows the toxicity of the community. But sure use my findings and tell the community that you’ve solved it which is my goal.
Indeed, this solution is a google search away. In the past my roleplay got affected as some people used SQL injection through a RegisterNUICallback statement wiping the entire database and something so small and simple to monitor makes it a bit less attractive for people that want to try. I hope in the future people would be more open minded in helping each other when bugs are found. I’m not saying to share your scripts but just push a person in the right direction.
Also want to notice on the “dumping server files”. Check out globing your configuration files. To “dump” a server they need to know the file names.
I do posts examples on how and where to fix it in your code and like you stated before, most is just a google search away. You can also just ask for help instead of reacting in an environmentally unfriendly manner. But I don’t think you get the point here of what I’m doing and the things I see. What I’m asking is simple, I’m asking city owners to step up their game, communicate and solve their security issues. If people use these examples that means you don’t have a good running community and if I was here to help the ‘cheaters’ I would not have made it public and help out to improve.
If something gets abused by devTools, you have a security flaw on your server, and preventing them from being used is just a bandaid fix - it’d be a lot smarted to fix the cause of the issue, not the aftermath
“But to block the request you first need to know which URL to block if I’m right.”
This is true but still easy to discover. When manualy adding you’ll see the following text appear:
So this means when you where to block */*, you’ll simply block all requests to find the request you want to block permently, most commenly nui_blocker/nui_blocker. Then add that to the blocked request patterns and restart the fivem client.
Also do this the first time.
Enter the server you just blocked the request on and then when in the loading screen you need to click “Enable network request blocking”. This will block all the request patterns, if done correctly you should be able to use the devtools without any problems.
This can be achived because at this point in time not a single Lua or JavaScript file has been loaded on the client side thats why this is not even close to a solution and far from an extra check.
Look at it like making a door that is break in proof, but you placed the key in a glass box in front of the door, all you got to do is break the glass…
