Secure your server events with my resource.
Use better admin resources or disable them. These are both client side issues.
Secure your server events with my resource.
Use better admin resources or disable them. These are both client side issues.
Update 8/30/2018
exports['salty_tokenizer']:getResourceToken(GetCurrentResourceName())
Update 9/5/2018
init.lua
file that can be included in a given resource’s __resource.lua
file as a server and client script to automatically initialize the tokenizer and receive the tokens. I have updated the original post and GitHub readme to reflect the changes in setup.
salty_tokenizer
, there are no changes needed to your script (even if you update salty_tokenizer
to the latest version). Do not include init.lua
in a resource that is already using salty_tokenizer
, or the resource could generate duplicate tokens and have adverse results. The init.lua
file uses the same functions as before and is designed only to make implementation easier.Good work. I can feel hackers salting over these frequent anticheat releases, this one is particularly nice
Just a quick question concerning install. Sorry if it’s obvious:
Are the steps to adding this:
2)add
server_script ‘@salty_tokenizer/init.lua’
client_script ‘@salty_tokenizer/init.lua’
to every other resources __resource.lua
Here’s where I fall Apart
Do I have to add this to every resources’ client file?
TriggerServerEvent('anticheat-testing:testEvent', securityToken)
And this if statement to every server event?
if not exports['salty_tokenizer']:secureServerEvent(GetCurrentResourceName(), _source, token) then
return false
end
Like I said, I’m sorry for what I am sure is obvious but I’d like to add the resource but just don’t know how to handle the modifications of the other resources.
Thanks for your time!
Hey @schwim, those were actually just examples of securing an existing event. By adding the init.lua
file to both the server and client files of a resource, it properly preps the resource to be secured with the tokens.
In order to protect a server event, you will need to adjust it to send the security token to the server. The security token is accessible through a variable named securityToken
on the client side. So you will find all existing TriggerServerEvent
triggers in your client-side scripts, and add , securityToken
to it so that it is sent to the server.
Before:
TriggerServerEvent('my_resource:eventName', existingVariables)
After:
TriggerServerEvent('my_resource:eventName', existingVariables, securityToken)
On the server-side, you will need to modify the event handlers to accept the token, and then add a check to make sure it was a valid token. To do this, you will go through your server-side scripts and adjust any event handlers to have a new variable (I use token
typically).
Before:
RegisterNetEvent('my_resource:eventName')
AddEventHandler('my_resource:eventName', function(existingVariables)
After:
RegisterNetEvent('my_resource:eventName')
AddEventHandler('my_resource:eventName', function(existingVariables, token)
Now, just passing the security token will not prevent anything, since there’s not a check in place that it is valid. You can use my premade function using an export
that will check the token and return false
if it is invalid and kick them out.
Final modified server event handler:
RegisterNetEvent('my_resource:eventName')
AddEventHandler('my_resource:eventName', function(existingVariables, token)
local _source = source
if not exports['salty_tokenizer']:secureServerEvent(GetCurrentResourceName(), _source, token) then
return false
end
-- At this point, this security event is now validated and safe to continue.
Hey, thanks for this!
I got a question…
How will you make a secure event if there is none Server Event to this?
https://pastebin.com/mMe2Pt6B
I’m stuck at this…
That server event is only accessible to the server, therefore a client cannot interfere with it and it does not need a token. It is possible that a client is interfering with a different server event that triggers this one.
If the server event does not have a corresponding RegisterNetEvent
with it, you don’t need to secure it with a token.
Oh. but when the hacker does the “bug” it say this in console " [vRP/C#] query exception vRP/money : System.AggregateException: One or more errors occurred. —> MySql.Data.MySqlClient.MySqlException: Out of range value for column ‘wallet’ at row 1"
So i guess its that because no other place its have that query…
That is a mysql error indicating that a value greater than what can be stored is trying to be entered.
For example, if the sql database column “money” can only hold a 5 digit number, and then this person tries to put in 9999999999999, it will give the error, because the number is out of range.
Yeah because he gives himself money by a script/Lua injections… I changed it multi times but they find it after a few minutes…
Then you have a resource that has a server event that gives him money. It is not possible for him to directly trigger this event.
I have edit __resource.lua of esx_society, and i have copy pasted both codes that you said to do, and when i enter on my server i get insta kicked
how to do tokenizer for this code
Citizen.CreateThread(function()
local markers = {
{-3241.0556640625,997.41778564453,12.550408363342},
{-3240.7443847656,1008.6000366211,12.830710411072}
}
while true do
Wait(0)
for k,v in pairs(markers) do
local x,y,z = table.unpack(v)
DrawMarker(29, x,y,z-0.20, 0.0, 0.0, 0.0, 0, 0.0, 0.0, 1.00, 1.00, 1.00, 0, 250, 0, 200, false, true, 2, true, false, false, false)
end
--Citizen.Wait(10000)
end
end)
Very useful! Nice to see someone took the time to make something like this.
That is all client side and doesn’t require a token.
Post your edits here and I’ll attempt to help. Most ESX resources are extraordinarily insecure.
Is it supposed to start the resource is server cfg ?
Yes you need to add it to your server.cfg.
Do you have some discord for talk?
I writed this in the __resource.lua
server_script '@salty_tokenizer/init.lua'
client_script '@salty_tokenizer/init.lua'
This on the client
TriggerServerEvent('anticheat-testing:testEvent', securityToken)
and this on the server
RegisterNetEvent('anticheat-testing:testEvent')
AddEventHandler('anticheat-testing:testEvent', function(token)
local _source = source
if not exports['salty_tokenizer']:secureServerEvent(GetCurrentResourceName(), _source, token) then
return false
end
print("Authenticated")
end)
Is something wrong?