[Release][DEV] Server Event Security Tokens - Anticheat

SaltyGrandpa · August 16, 2018, 8:02pm

Secure your server events with my resource.

Use better admin resources or disable them. These are both client side issues.

SaltyGrandpa · August 30, 2018, 8:46pm

Update 8/30/2018

Added new server export that allows you to get the security token for a specified resource. This is only accessible from the server side. This can be used to validate client-side events to ensure that they were actually triggered by the server. Please note that sending the token to the client may have some security implications and allow an attacker to retrieve the token for a resource, if they know the event to sniff. This should be used in a “worst case scenerio” for validation. Again, just never trust the client
- Example usage: exports['salty_tokenizer']:getResourceToken(GetCurrentResourceName())

SaltyGrandpa · September 5, 2018, 12:20pm

Update 9/5/2018

Added an init.lua file that can be included in a given resource’s __resource.lua file as a server and client script to automatically initialize the tokenizer and receive the tokens. I have updated the original post and GitHub readme to reflect the changes in setup.
- Note: If you are already using salty_tokenizer, there are no changes needed to your script (even if you update salty_tokenizer to the latest version). Do not include init.lua in a resource that is already using salty_tokenizer, or the resource could generate duplicate tokens and have adverse results. The init.lua file uses the same functions as before and is designed only to make implementation easier.

Setro · September 5, 2018, 2:33pm

Good work. I can feel hackers salting over these frequent anticheat releases, this one is particularly nice

schwim · September 7, 2018, 3:31pm

Just a quick question concerning install. Sorry if it’s obvious:

Are the steps to adding this:

add files to resource dir and start to server.cfg

2)add

server_script ‘@salty_tokenizer/init.lua’
client_script ‘@salty_tokenizer/init.lua’

to every other resources __resource.lua

Here’s where I fall Apart

Do I have to add this to every resources’ client file?

TriggerServerEvent('anticheat-testing:testEvent', securityToken)

And this if statement to every server event?

if not exports['salty_tokenizer']:secureServerEvent(GetCurrentResourceName(), _source, token) then
		return false
	end

Like I said, I’m sorry for what I am sure is obvious but I’d like to add the resource but just don’t know how to handle the modifications of the other resources.

Thanks for your time!

SaltyGrandpa · September 7, 2018, 4:41pm

Hey @schwim, those were actually just examples of securing an existing event. By adding the init.lua file to both the server and client files of a resource, it properly preps the resource to be secured with the tokens.

In order to protect a server event, you will need to adjust it to send the security token to the server. The security token is accessible through a variable named securityToken on the client side. So you will find all existing TriggerServerEvent triggers in your client-side scripts, and add , securityToken to it so that it is sent to the server.

Before:

TriggerServerEvent('my_resource:eventName', existingVariables)

After:

TriggerServerEvent('my_resource:eventName', existingVariables, securityToken)

On the server-side, you will need to modify the event handlers to accept the token, and then add a check to make sure it was a valid token. To do this, you will go through your server-side scripts and adjust any event handlers to have a new variable (I use token typically).

Before:

RegisterNetEvent('my_resource:eventName')
AddEventHandler('my_resource:eventName', function(existingVariables)

After:

RegisterNetEvent('my_resource:eventName')
AddEventHandler('my_resource:eventName', function(existingVariables, token)

Now, just passing the security token will not prevent anything, since there’s not a check in place that it is valid. You can use my premade function using an export that will check the token and return false if it is invalid and kick them out.

Final modified server event handler:

RegisterNetEvent('my_resource:eventName')
AddEventHandler('my_resource:eventName', function(existingVariables, token)
	local _source = source
	if not exports['salty_tokenizer']:secureServerEvent(GetCurrentResourceName(), _source, token) then
		return false
	end
    -- At this point, this security event is now validated and safe to continue.

Nexicon · October 4, 2018, 4:22pm

Hey, thanks for this!

I got a question…

How will you make a secure event if there is none Server Event to this?

https://pastebin.com/mMe2Pt6B
I’m stuck at this…

SaltyGrandpa · October 4, 2018, 6:30pm

That server event is only accessible to the server, therefore a client cannot interfere with it and it does not need a token. It is possible that a client is interfering with a different server event that triggers this one.

If the server event does not have a corresponding RegisterNetEvent with it, you don’t need to secure it with a token.

Nexicon · October 4, 2018, 7:06pm

Oh. but when the hacker does the “bug” it say this in console " [vRP/C#] query exception vRP/money : System.AggregateException: One or more errors occurred. —> MySql.Data.MySqlClient.MySqlException: Out of range value for column ‘wallet’ at row 1"

So i guess its that because no other place its have that query…

Briglair · October 4, 2018, 7:10pm

That is a mysql error indicating that a value greater than what can be stored is trying to be entered.

For example, if the sql database column “money” can only hold a 5 digit number, and then this person tries to put in 9999999999999, it will give the error, because the number is out of range.

Nexicon · October 4, 2018, 7:13pm

Yeah because he gives himself money by a script/Lua injections… I changed it multi times but they find it after a few minutes…

SaltyGrandpa · October 4, 2018, 7:55pm

Then you have a resource that has a server event that gives him money. It is not possible for him to directly trigger this event.

brazizz · October 7, 2018, 8:26pm

I have edit __resource.lua of esx_society, and i have copy pasted both codes that you said to do, and when i enter on my server i get insta kicked

Yunus_Emre_AKTAS · October 7, 2018, 8:53pm

how to do tokenizer for this code

Citizen.CreateThread(function()
      local markers = {
        {-3241.0556640625,997.41778564453,12.550408363342},
        {-3240.7443847656,1008.6000366211,12.830710411072}
      }
  while true do
    Wait(0)
      for k,v in pairs(markers) do
        local x,y,z = table.unpack(v)
        DrawMarker(29, x,y,z-0.20, 0.0, 0.0, 0.0, 0, 0.0, 0.0, 1.00, 1.00, 1.00, 0, 250, 0, 200, false, true, 2, true, false, false, false)
      end
    --Citizen.Wait(10000)
  end
end)

Slavko · October 7, 2018, 9:19pm

Very useful! Nice to see someone took the time to make something like this.

SaltyGrandpa · October 7, 2018, 9:35pm

That is all client side and doesn’t require a token.

Post your edits here and I’ll attempt to help. Most ESX resources are extraordinarily insecure.

brazizz · October 7, 2018, 10:01pm

Is it supposed to start the resource is server cfg ?

SaltyGrandpa · October 7, 2018, 10:01pm

Yes you need to add it to your server.cfg.

brazizz · October 7, 2018, 10:03pm

Do you have some discord for talk?

brazizz · October 7, 2018, 10:18pm

I writed this in the __resource.lua

server_script '@salty_tokenizer/init.lua'
client_script '@salty_tokenizer/init.lua'

This on the client

TriggerServerEvent('anticheat-testing:testEvent', securityToken)

and this on the server

RegisterNetEvent('anticheat-testing:testEvent')
AddEventHandler('anticheat-testing:testEvent', function(token)
	local _source = source
	if not exports['salty_tokenizer']:secureServerEvent(GetCurrentResourceName(), _source, token) then
		return false
	end
	print("Authenticated")
end)

Is something wrong?