Jump to content
MaxCheaters Official Group on Discord
-> Place your ad text here <-
LINEAGE2.GOLD INTERLUDE SERVER ON ESSENCE CLIENT

HTML bypass security

HugoBoss
 Share

Recommended Posts

HugoBoss Newbie

HugoBoss

Posted
Posted

Hello,

 

i am new to L2 Servers and i wanted to discuss security about html bypasses.

 

So let's take as an example this class change bypass: 

<a action="bypass -h class_change?class_name=1">Warrior</a>

 

Since this is present on client side, i am thinking that someone could replace the value of class_name to something else and exploit it.

 

So my first questions is; Can someone manipulate the html on the client side?

 

If yes, do you place code on the ai that checks again the response from the client if it is valid?

 

For example let's say that a Human Fighter goes to the class changer.

The class changer calculates the available classes based on his current class and presents him three options: 

<a action="bypass -h class_change?class_name=1">Warrior</a><br>
<a action="bypass -h class_change?class_name=4">Knight</a><br>
<a action="bypass -h class_change?class_name=7">Rogue</a><br>

 

After the client submits his request to change to Warrior, do you still re-check the validity of that request or take as granted that since you provided him these options in the first place, the response that you get from the client is valid and proceed to perform the class change action without further checks?

 

Thanks,

Hugo

 

Anarchy Enthusiast

Anarchy

Posted
Posted

Short answer is it depends on which server you're using.

 

From c4 onwards (and in the c1 server via extenders) the L2Server has built-in protection for html links and bypasses, it caches all links and bypasses sent to the user for the last html and then when a link or bypass is requested it checks if that link or bypass was actually sent to the user.

 

HOWEVER - in the later servers (don't know for sure about GF but 100% for HF) there exists exactly what you are talking about, client-based bypasses and links which are sent as fstring ids to the client rather than the actual bypass string (also some interface-based bypasses for stuff like manor and hero systems), so those cannot be cached and will cause a false flag if you have the bypass/link check turned on, as a result a lot of people (ncsoft included) just don't have that system enabled and so yes for those cases you can change those bypasses in the client to whatever the heck you want and if the AI doesn't have sufficient checks in place then it can cause exploitable issues.

 

ncsoft is hugely susceptible to this and you end up with quests where they don't check if you've actually completed every single step of the quest process and you can finish quests early or in cases from the early days you could just spam a bypass and be given rewards for a quest you were never even on.

 

AI best practice, kinda like web best practice, is to assume that every bypass being received could've been modified by the user and double/triple/quadruple check everything at every stage to be sure what they're requesting is something they're able to request and that they meet the requirements to request it

  • Thanks 1
L2Extreme Apprentice

L2Extreme

Posted
Posted
5 hours ago, HugoBoss said:

Hello,

 

i am new to L2 Servers and i wanted to discuss security about html bypasses.

 

So let's take as an example this class change bypass: 


<a action="bypass -h class_change?class_name=1">Warrior</a>

 

Since this is present on client side, i am thinking that someone could replace the value of class_name to something else and exploit it.

 

So my first questions is; Can someone manipulate the html on the client side?

 

If yes, do you place code on the ai that checks again the response from the client if it is valid?

 

For example let's say that a Human Fighter goes to the class changer.

The class changer calculates the available classes based on his current class and presents him three options: 


<a action="bypass -h class_change?class_name=1">Warrior</a><br>
<a action="bypass -h class_change?class_name=4">Knight</a><br>
<a action="bypass -h class_change?class_name=7">Rogue</a><br>

 

After the client submits his request to change to Warrior, do you still re-check the validity of that request or take as granted that since you provided him these options in the first place, the response that you get from the client is valid and proceed to perform the class change action without further checks?

 

Thanks,

Hugo

 

yes, they can manipulate html bypasses on the client side, example adding them on server help html.

these bypasses are from startup system yes? you can fix them by adding stages, setStage(1), setStage(2) and add check for stages on every bypass, then they wouldnt be able to manipulate it.

AlmostGood Enthusiast

AlmostGood

Posted
Posted

you can always change them in client, in tons of different ways, but most of people will just use bot to send custom bypasses directly. If you don't fully validate user input on server side, you are set to fail if just 1 guy finds out.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • Posts

    • SocNet
      [SOCNET SMS] Virtual numbers and SMS-service

      By SocNet · Posted

      Virtual numbers for full control and flexibility. We offer long-term number rental (days, months) and one-time SMS receiving — all in one service. Long-term rental is suitable for stable access to accounts, repeated verifications, and number retention. One-time numbers are for quick registrations and single-use operations. Reliable SMS delivery, predictable results, and convenience that even many large SMS services do not offer. Go to the SMS service
    • SocNet
      [SOCNET STARS] | Telegram Stars ⭐ /Premium Subs/Ads Balance

      By SocNet · Posted

      Telegram gifts are once again showing growth. This is associated with a possible pause in the gift release pipeline by Pavel Durov, as well as the approaching New Year, when demand traditionally increases. Against this backdrop, Telegram Stars, the platform’s internal currency, are once again coming to the forefront. With their help, users send gifts, subscribe to Telegram Premium, and use paid features within the Telegram ecosystem. Buy Telegram Stars with maximum benefit in our bot
    • SocNet
      [SOCNET STARS] | Telegram Stars ⭐ | Premium Subs|Ads Balance

      By SocNet · Posted

      Telegram gifts are once again showing growth. This is associated with a possible pause in the gift release pipeline by Pavel Durov, as well as the approaching New Year, when demand traditionally increases. Against this backdrop, Telegram Stars, the platform’s internal currency, are once again coming to the forefront. With their help, users send gifts, subscribe to Telegram Premium, and use paid features within the Telegram ecosystem. Buy Telegram Stars with maximum benefit in our bot
    • SocNet
      SOCNET BOOST 是所有社交媒体营销(SMM)平台中的新解决方案 | 社交媒体与网络流量

      By SocNet · Posted

      流量套利 + SMM 面板 — 强大的增长组合. 通过社交信号加强推广活动,提高信任度和转化率,加速扩张。 为套利专员和 SMM 提供的所有工具 — 在一个地方. 有效链接: SMM 面板: 前往 – 推广您的社交媒体账户。 其他服务和产品: 数字商品商店(网站): 前往 商店 Telegram 机器人: 前往 – 通过 Telegram 信使方便访问商店。 虚拟号码服务: 前往 用于购买 Telegram Stars 的 Telegram 机器人: 前往 – 在 Telegram 中快速且优惠地购买 Stars。 SMM 面板: 前往 – 推广您的社交媒体账户。 我们想向您展示当前促销和特别优惠列表,用于购买我们服务的产品和服务: 1. 您可以在首次购买时使用促销代码:SOCNET(15% 折扣) 2. 获取 $1 商店余额或 10–20% 折扣——只需在我们网站注册后按以下模板填写您的用户名:"SEND ME BONUS, MY USERNAME IS..." ——您需要在我们的论坛主题中发布! 3. SMM 面板首次试用可获得 $1:只需在我们的网站(Support)提交主题为 “Get Trial Bonus” 的工单。 4. 我们的 Telegram 频道和 Stars 购买机器人中每周都会赠送 Telegram Stars! 新闻: ➡ Telegram 频道: https://t.me/accsforyou_shop ➡ WhatsApp 频道: https://chat.whatsapp.com/K8rBy500nA73z27PxgaJUw?mode=ems_copy_t ➡ Discord 服务器: https://discord.gg/y9AStFFsrh 联系方式和支持: ➡ Telegram: https://t.me/socnet_support ➡ WhatsApp: https://wa.me/79051904467 ➡ Discord: socnet_support ➡ ✉ Email: solomonbog@socnet.store
    • SocNet
      [SOCNET SMM] is a new solution among all SMM panels

      By SocNet · Posted

      Traffic arbitrage + SMM panel — a powerful combination for growth. Strengthen campaigns with social signals, increase trust and conversion, scale faster. All tools for arbitrage specialists and SMM — in one place. Active links: SMM Panel: Go to – promotion of your social media accounts. Other services and products: Digital goods store (Website): Go to Store Telegram bot: Go to – convenient access to the store via the Telegram messenger. Virtual numbers service: Go to Telegram bot for purchasing Telegram Stars: Go to – fast and profitable purchase of Stars in Telegram. SMM Panel: Go to – promotion of your social media accounts. We want to present to you the current list of promotions and special offers for purchasing products and services of our service: 1. You can use a promo code for your first purchase: SOCNET (15% discount) 2. Get $1 on your store balance or a 10–20% discount — just write your username after registering on our website using the following template: "SEND ME BONUS, MY USERNAME IS..." – you need to post this in our forum thread! 3. Get $1 for the first trial launch of the SMM Panel: just open a ticket with the subject “Get Trial Bonus” on our website (Support). 4. Weekly Telegram Stars giveaways in our Telegram channel and in our bot for purchasing stars! News: ➡ Telegram channel: https://t.me/accsforyou_shop ➡ WhatsApp channel: https://chat.whatsapp.com/K8rBy500nA73z27PxgaJUw?mode=ems_copy_t ➡ Discord server: https://discord.gg/y9AStFFsrh Contacts and support: ➡ Telegram: https://t.me/socnet_support ➡ WhatsApp: https://wa.me/79051904467 ➡ Discord: socnet_support ➡ ✉ Email: solomonbog@socnet.store

  • Topics

×
×
  • Create New...

AdBlock Extension Detected!

Our website is made possible by displaying online advertisements to our members.

Please disable AdBlock browser extension first, to be able to use our community.

I've Disabled AdBlock