How come there’s no ace required to use this command? Did I miss something obvious?
This makes writing bulletproof ui infinitely harder.
Does pressing f12 in your browser require ace permissions? It’s just a normal devtools for the browser. If people can abuse it then you are trusting the client too much.
That does not make it any less of a hole.
Why make things easier for cheaters? That’s an angle of attack that could not exist if access to that tool was controlled server-side. It’s not like that’s costly in the sense of time needed to implement or processing power needed to execute.
How can cheaters abuse nui_devtools?
The “worst” that I found can be done is removing the TokoVoip screen that’s about it. Not sure why people think its a problem now though… Since nui_devtools existed for a while now.
You can also trigger nuicallbacks and you can’t put a check on everything, so idek why we need nui_devtools. The reason I have problems with it now is because I did not even know it existed earlier.
On yourself, not on any players.
True, but the thing is if you have a Framework that works with citizenid’s and a nuicallback that triggers a DeleteCharacter event you potentially could delete other players their Character. This I did fix by checking their Steam names but if you have a Combine system in your inventory it becomes harder to fix or even impossible.
For example:
This is a loop that triggers a Combine event and gives the player the item they want. (In the framework I use)
function waitaminute(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
async function hacking() {
console.log('Hacking...');
for (let i = 0; i < 5; i++) {
fetch("http://sl-inventory/combineWithAnim", {
"headers": {
"accept": "*/*",
"content-type": "application/x-www-form-urlencoded; charset=UTF-8"
},
"referrer": "",
"referrerPolicy": "no-referrer-when-downgrade",
"body": "{\"combineData\":{\"anim\":{\"dict\":\"anim@amb@business@weed@weed_inspecting_high_dry@\",\"text\":\"Hacking\",\"lib\":\"weed_inspecting_high_base_inspector\",\"timeOut\":4500},\"reward\":\"advancedlockpick\",\"accept\":[\"screwdriverset\"]},\"usedItem\":\"lockpick\",\"requiredItem\":\"screwdriverset\"}",
"method": "POST",
"mode": "cors",
"credentials": "omit"
});
await waitaminute(7600)
}
}
hacking();
And I know this is not for every server but it’s stupid you got to put a check on everything that works with NUI right now.
You always have to put a check on anything even with regular events, you can never trust the client. Even if there was no nui_devtools a malicious client can still trigger whatever they want
Move more of that logic to the server e.g. the timer and make the server determine the item given
That’s true and that’s where normal Callbacks are good for but I’m not even sure how to fix this one because you can enter everything in there.
Alright, I’ll see what I can do. I think in the past people did not really know nui_devtools.
The reason the information is in a nuicallback and not server sided is because we use a progressbar and it needs those things and triggers a server event after. But I’ll see if I can make changes.
Hi,
I’ve been researching the possibility’s with nui_devtools for about a month ago and came to the conclusion that a lot of developers in this community don’t script with security on their mind.
I start doing this because as a researcher and role player, frameworks like ESX and Qbus attracts cheaters in which has a impact on my roleplay. A lot of those people abuse the TriggerServerEvents by buying memory injection tools for a few bucks but with the nui_devtools, which is free to use, it’s basically game over for all cities within the FiveM community. However, this doesn’t have to be a problem if scripters check everything server side and sanitize players data. Most common problem encounter are SQL injections and allows people to spawn items from client side without checking server side.
I’ve been working with a couple of cities to improve their code with the findings I do.
Most of these bugs I find are for the cities with the Qbus framework. You can find my research here:
I’ve published this list to create awareness within the scripting community. One other thing I want to say is that using ace for nui_devtools will not help at all as you can always hook it into memory or whatever. The problem is not with the tools being given but with the community that is creating unsecure code or copy each other code without doing any sanitizing checks. for example I’ve seen scripts that allows to backdoor an entire server through MYSQL if the user runs root permissions on the database.
-Nick
3 Likes
Thank you. And very worrying at the same time. A lot of times people think it’s up to “FiveM” to fix their issues when in fact it’s their own code that allows such insecurities.
5 Likes
they can use it to use Nuicallbacks
If that’s an issue that means you are trusting the client too much, none of your logic should be in neither the NUI page or your client scripts but on the server.
Yes, but the problem is that i can’t do nothing i don’t know how to block nui_devtools
Blocking devtools is not the solution, your bigger problem is your server logic which you need to fix. Even if the devtools would be removed, some malicious client (e.g. someone with cheats) can still do the same.
well you need to learn something about security
if your NUI webpages do something exept triggering events that actually check if user is allowed to perform the action, then you dont have to run a server
and if you have some great scripts on web side that you dont want to be exposed to the public , you can simply use webpack or smth like that