Mod Security: Difference between revisions
mNo edit summary |
m →SendGameCustomMessage: grammatical error fixed |
||
Line 11: | Line 11: | ||
if payload.type == "makePlayerWin" then | if payload.type == "makePlayerWin" then | ||
makePlayerWin(game, payload.playerid) | makePlayerWin(game, payload.playerid) | ||
-- makePlayerWin(game, playerid) could be a function that later on adds | -- makePlayerWin(game, playerid) could be a function that later on adds an order which sets the territory owner of every territory to the player associated with the supplied playerid | ||
elseif ... -- other functionality | elseif ... -- other functionality | ||
end | end |
Latest revision as of 14:35, 1 June 2024
In a Client-Server Relationship it is very important that the Server checks everything the client sends to it. This is because someone who is proficient in programming (a Hacker for example) can modify any data the client sends to the server. It's therefore important to employ a zero trust policy when creating mods
Possible security weak points
SendGameCustomMessage
Main article
An attacker can modify the payload in any way they desire. Let's take a Diplomacy Mod for example, where the Host can decide which player should win at any time. A naive approach using Server_GameCustomMessage(...) would be
function Server_GameCustomMessage(game, playerID, payload, setReturn) if payload.type == "makePlayerWin" then makePlayerWin(game, payload.playerid) -- makePlayerWin(game, playerid) could be a function that later on adds an order which sets the territory owner of every territory to the player associated with the supplied playerid elseif ... -- other functionality end
An attacker with the associated playerid of (for example) 12345 who analyzed the source code of the mod (remember, the source code of every mod is publicly available on Github) can now see that the Hook never actually checks if the client who sent the CustomServerMessage is really the host (indicated by the playerID parameter of the Server_GameCustomMessage function). The attacker could therefore send following Lua table to the Server:
{ type = "makePlayerWin", playerid = 12345 }
and automatically win as soon as the turn advances. The actual process is more complicated but that's about how an attacker could use the security vulnerability to gain a decisive advantage.
The obvious and right solution is to additionally check inside the if condition if the playerID supplied to Server_GameCustomMessage belongs to the host.
function Server_GameCustomMessage(game, playerID, payload, setReturn) if payload.type == "makePlayerWin" and game.ServerGame.Settings.StartedBy == playerID then makePlayerWin(game, payload.playerid) elseif ... -- other functionality end
this now makes the functionality secure against custom client data crafted by an attacker
GameOrderCustom
Main article
The Server Mod Hooks which accept the GameOrderCustom should only depend on the payload, as hackers may, as with SendGameCustomMessage, modify all fields (Message, Payload, CostOpt and OccursInPhaseOpt) to gain an advantage. Note that, since hackers can modify Payload too, it is essential to verify that it was even possible for the player to send the received Payload in the first place. All other Fields should be recreated by the Server.