Jump to content
MaxCheaters Official Group on X
MaxCheaters Official Group on Discord
--> Place your ad text here <--

HTML bypass security

HugoBoss
 Share

Recommended Posts

HugoBoss Newbie

HugoBoss

Posted
Posted

Hello,

 

i am new to L2 Servers and i wanted to discuss security about html bypasses.

 

So let's take as an example this class change bypass: 

<a action="bypass -h class_change?class_name=1">Warrior</a>

 

Since this is present on client side, i am thinking that someone could replace the value of class_name to something else and exploit it.

 

So my first questions is; Can someone manipulate the html on the client side?

 

If yes, do you place code on the ai that checks again the response from the client if it is valid?

 

For example let's say that a Human Fighter goes to the class changer.

The class changer calculates the available classes based on his current class and presents him three options: 

<a action="bypass -h class_change?class_name=1">Warrior</a><br>
<a action="bypass -h class_change?class_name=4">Knight</a><br>
<a action="bypass -h class_change?class_name=7">Rogue</a><br>

 

After the client submits his request to change to Warrior, do you still re-check the validity of that request or take as granted that since you provided him these options in the first place, the response that you get from the client is valid and proceed to perform the class change action without further checks?

 

Thanks,

Hugo

 

Anarchy Enthusiast

Anarchy

Posted
Posted

Short answer is it depends on which server you're using.

 

From c4 onwards (and in the c1 server via extenders) the L2Server has built-in protection for html links and bypasses, it caches all links and bypasses sent to the user for the last html and then when a link or bypass is requested it checks if that link or bypass was actually sent to the user.

 

HOWEVER - in the later servers (don't know for sure about GF but 100% for HF) there exists exactly what you are talking about, client-based bypasses and links which are sent as fstring ids to the client rather than the actual bypass string (also some interface-based bypasses for stuff like manor and hero systems), so those cannot be cached and will cause a false flag if you have the bypass/link check turned on, as a result a lot of people (ncsoft included) just don't have that system enabled and so yes for those cases you can change those bypasses in the client to whatever the heck you want and if the AI doesn't have sufficient checks in place then it can cause exploitable issues.

 

ncsoft is hugely susceptible to this and you end up with quests where they don't check if you've actually completed every single step of the quest process and you can finish quests early or in cases from the early days you could just spam a bypass and be given rewards for a quest you were never even on.

 

AI best practice, kinda like web best practice, is to assume that every bypass being received could've been modified by the user and double/triple/quadruple check everything at every stage to be sure what they're requesting is something they're able to request and that they meet the requirements to request it

  • Thanks 1
L2Extreme Apprentice

L2Extreme

Posted
Posted
5 hours ago, HugoBoss said:

Hello,

 

i am new to L2 Servers and i wanted to discuss security about html bypasses.

 

So let's take as an example this class change bypass: 


<a action="bypass -h class_change?class_name=1">Warrior</a>

 

Since this is present on client side, i am thinking that someone could replace the value of class_name to something else and exploit it.

 

So my first questions is; Can someone manipulate the html on the client side?

 

If yes, do you place code on the ai that checks again the response from the client if it is valid?

 

For example let's say that a Human Fighter goes to the class changer.

The class changer calculates the available classes based on his current class and presents him three options: 


<a action="bypass -h class_change?class_name=1">Warrior</a><br>
<a action="bypass -h class_change?class_name=4">Knight</a><br>
<a action="bypass -h class_change?class_name=7">Rogue</a><br>

 

After the client submits his request to change to Warrior, do you still re-check the validity of that request or take as granted that since you provided him these options in the first place, the response that you get from the client is valid and proceed to perform the class change action without further checks?

 

Thanks,

Hugo

 

yes, they can manipulate html bypasses on the client side, example adding them on server help html.

these bypasses are from startup system yes? you can fix them by adding stages, setStage(1), setStage(2) and add check for stages on every bypass, then they wouldnt be able to manipulate it.

AlmostGood Enthusiast

AlmostGood

Posted
Posted

you can always change them in client, in tons of different ways, but most of people will just use bot to send custom bypasses directly. If you don't fully validate user input on server side, you are set to fail if just 1 guy finds out.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing


  • Posts

    • Celestine
      L2VikosMemory – Memory Optimization for Lineage II / Lineage

      By Celestine · Posted

      L2VikosMemory | User Manual 1. General Information L2VikosMemory is a memory optimization tool for Lineage II. It automatically clears the game cache, reducing RAM usage and improving stability. 2. Installation Extract L2VikosMemory.dll and ogg.dll into the game folder (where l2.exe is located). No additional steps are required. 3. Configuration L2VikosMemory settings can be adjusted in the L2VikosMemory.cfg file: CleanInterval=X – Cleanup interval (in minutes) TryElevate=true/false – Enable/disable privilege escalation AltClientGuard=true/false – Compatibility setting for STRIXGUARD Example Configuration: CleanInterval=3   TryElevate=false   AltClientGuard=false   4. Verification The log file L2VikosMemory.log contains: Connection status Cleanup results Freed memory 5. Troubleshooting If L2VikosMemory is not working: Check if the DLL files are in the correct folder. Try running the game as an administrator. Check the log file for errors. 6. Support For support, contact Artem on Telegram. 7. Additional Information Compatibility: Supports most Lineage II clients. Recommended Interval: 3-5 minutes. Gameplay Impact: No effect on gameplay performance. Price: $150
    • protoftw
      Graphic/Html Designs - Protojah

      By protoftw · Posted

      L2 LOKAGAMERS - WEBSITE DESIGN    
    • Ave
      ⚜ Custom UPDATER / LAUNCHER ⚜

      By Ave · Posted

      Then wtf do You even do there? That's the issue. You think I only have those customers with negative experiance. I don't beg my customers to "post positive review in my topic at MXC's". 80% of them don't even have an account here. I don't care. But for TIME TO TIME, someone post a bad experiance review, because he had to wait and got refunded becausae of that...oh...now no-lifers like Cuntw0lf have something to do with their life. None of You were my customer so...You can fuck off 😎✌️
    • Splicho
      ⚜ Custom UPDATER / LAUNCHER ⚜

      By Splicho · Posted

      Where did I mention that you scam people? I was mentioning that people have to wait every now and then and to be honest that shouldn't happen. And I am not talking about these cases when your city get flooded. However, do what u think is appropriate, I really can't care enough.
    • Ave
      ⚜ Custom UPDATER / LAUNCHER ⚜

      By Ave · Posted

      I sell 20-30 launchers and logo designs per every 1 report about DELAY. Not scamm. DELAY. I don't have to feed Your croocked curiosity. If You don't know what "custom" means, I won't waste more time on You. Go spread Your conspiracy theories in other topics.

  • Topics

×
×
  • Create New...