Skip to content

Instantly share code, notes, and snippets.

View mesidex's full-sized avatar

mesidex mesidex

View GitHub Profile
@TheGreatSageEqualToHeaven
TheGreatSageEqualToHeaven / main.md
Last active April 23, 2024 15:25
bypassing blocked function protections using corescripts

bypassing blocked function protections using corescripts

author: James Napora.

roblox and exploit fundamentals

  • corescripts have RobloxScript permissions on Roblox.
  • exploit function protections do not run on any threads except exploit threads.
  • roblox has several permission levels: None, Plugin, LocalUser, RobloxScript and Roblox.
  • actors on Roblox run whenever a script under it has a client run context, e.g local scripts, scripts with RunContext.Client and corescripts.
  • scripts under actors share the same global state
@TheGreatSageEqualToHeaven
TheGreatSageEqualToHeaven / READ.md
Last active May 16, 2024 13:39
Data store vulnerabilities

Write-up

A warning to Roblox developers about a powerful exploit primitive. In this, I will detail the research I’ve conducted into this attack vector and walk you through how you as a developer, can protect against exploits with primitives like this.

DataStoreService lets you store data that needs to persist between sessions, such as items in a player’s inventory or skill points. Data stores are consistent per experience, so any place in an experience can access and change the same data, including places on different servers.

By default, experiences tested in Studio cannot access data stores, so you must first enable API services. You will need to do this to test the vulnerabilities.

The idea I wanted to explore when pondering the above question was; can we exploit remotes to prevent data from saving? It is easy to blame the developer for not protecting themselves against such a simple exploit but it ends up being more complicated than that. I found plenty of examples of these vulnerabilities occurring