Discussion HTML bypass security

[HugoBoss]

Hello,

 

i am new to L2 Servers and i wanted to discuss security about html bypasses.

 

So let's take as an example this class change bypass:

<a action="bypass -h class_change?class_name=1">Warrior</a>

 

Since this is present on client side, i am thinking that someone could replace the value of class_name to something else and exploit it.

 

So my first questions is; Can someone manipulate the html on the client side?

 

If yes, do you place code on the ai that checks again the response from the client if it is valid?

 

For example let's say that a Human Fighter goes to the class changer.

The class changer calculates the available classes based on his current class and presents him three options:

<a action="bypass -h class_change?class_name=1">Warrior</a><br>
<a action="bypass -h class_change?class_name=4">Knight</a><br>
<a action="bypass -h class_change?class_name=7">Rogue</a><br>

 

After the client submits his request to change to Warrior, do you still re-check the validity of that request or take as granted that since you provided him these options in the first place, the response that you get from the client is valid and proceed to perform the class change action without further checks?

 

Thanks,

Hugo

 

[Anarchy]

Short answer is it depends on which server you're using.

 

From c4 onwards (and in the c1 server via extenders) the L2Server has built-in protection for html links and bypasses, it caches all links and bypasses sent to the user for the last html and then when a link or bypass is requested it checks if that link or bypass was actually sent to the user.

 

HOWEVER - in the later servers (don't know for sure about GF but 100% for HF) there exists exactly what you are talking about, client-based bypasses and links which are sent as fstring ids to the client rather than the actual bypass string (also some interface-based bypasses for stuff like manor and hero systems), so those cannot be cached and will cause a false flag if you have the bypass/link check turned on, as a result a lot of people (ncsoft included) just don't have that system enabled and so yes for those cases you can change those bypasses in the client to whatever the heck you want and if the AI doesn't have sufficient checks in place then it can cause exploitable issues.

 

ncsoft is hugely susceptible to this and you end up with quests where they don't check if you've actually completed every single step of the quest process and you can finish quests early or in cases from the early days you could just spam a bypass and be given rewards for a quest you were never even on.

 

AI best practice, kinda like web best practice, is to assume that every bypass being received could've been modified by the user and double/triple/quadruple check everything at every stage to be sure what they're requesting is something they're able to request and that they meet the requirements to request it

[L2Extreme]

5 hours ago, HugoBoss said:

Hello,

 

i am new to L2 Servers and i wanted to discuss security about html bypasses.

 

So let's take as an example this class change bypass:

<a action="bypass -h class_change?class_name=1">Warrior</a>

 

Since this is present on client side, i am thinking that someone could replace the value of class_name to something else and exploit it.

 

So my first questions is; Can someone manipulate the html on the client side?

 

If yes, do you place code on the ai that checks again the response from the client if it is valid?

 

For example let's say that a Human Fighter goes to the class changer.

The class changer calculates the available classes based on his current class and presents him three options:

<a action="bypass -h class_change?class_name=1">Warrior</a><br>
<a action="bypass -h class_change?class_name=4">Knight</a><br>
<a action="bypass -h class_change?class_name=7">Rogue</a><br>

 

After the client submits his request to change to Warrior, do you still re-check the validity of that request or take as granted that since you provided him these options in the first place, the response that you get from the client is valid and proceed to perform the class change action without further checks?

 

Thanks,

Hugo

 

yes, they can manipulate html bypasses on the client side, example adding them on server help html.

these bypasses are from startup system yes? you can fix them by adding stages, setStage(1), setStage(2) and add check for stages on every bypass, then they wouldnt be able to manipulate it.

[AlmostGood]

you can always change them in client, in tons of different ways, but most of people will just use bot to send custom bypasses directly. If you don't fully validate user input on server side, you are set to fail if just 1 guy finds out.