script security Validating client setElementData

[syrasia]

Hi there,

I want to make my server as safe as I can. 

So it is only logic, that I heed the advice from the wiki: Script security

 

Well, the second part (with checking the validness of client and arguments) is very easy for me to do.

But for the first part, I can only assume it works, but can't test it, as I don't have a hacked client.

I don't want a real hacked client, but still, I would like to test, if a rouge client would get catched and reported by my script security (I only changed the "oputputConsole" to a error report system I already have implemented).

 

With best regards,

another MTA:SA freak. 

[Noki]

The best way to secure your server from "rogue clients" is to not use element data at all. Or at least don't allow it to be set client-side. But you would be safer not using element data at all.

As stated in that wiki page, "don't trust anything from the client". Write your scripts as if you're trying to break them (ie putting strings in where integers are supposed to be, use newlines in input, don't submit any input, spam buttons and commands, etc). Validate every piece of data extensively.

You're right, I don't think there's a way to fully test that as it seems to be faking events. So unless you injected some code into the client (which is a job in itself nowadays) you can't really test it. But if you did manage to inject into MTA, you would probably be finding more important security flaws.

[syrasia]

Wait, did I maybe misunderstand setElementData? I thought, it is called by the client every time he "changes" like moving or entering a car and so on. Is setElementData only called, if a script calls it?

Because I will never use setElementData, as I don't have any use for it. Everything I need can be done with normal functions calls and data for players is stored in tables (easier to access, use and change).

Pleas enlighten me on this. 

And about call from triggerServerEvent: That I already understood and I am already taking care of wrong/bad arguments.

[Noki]

I do recall hearing from someone on MTA's IRC server that MTA uses element data for things like position, entering a car etc. But I don't think you're able to set those values through setElementData, for obvious reasons.

So to answer your question, yes. Well, as far as I'm concerned anyway. You'll need to look at the source code or ask a developer for absolute confirmation.

[Arran]

You can easily pretend to be a hacked client:

Have access to runcode, start runcode, crun setElementData(root. "blah", "blahblah")

All that a hacker can do is execute client side script, as if they had access to crun, as you have access to crun, being the server owner, you can test server side security stuff that way.

Edit: Though you shouldn't even worry about this. In 6 years of running a popular server I have only encountered client hackers less than 10 times. Usually they gave themselves away by triggering events to server which aren't handled thus generating an error that shows you their player name. Use element data, it's a wonderful system, just don't use it for things hasObjectPermissionTo should be used for.

Edited December 22, 2016 by Arran