Jump to content
MaxCheaters Official Group on X
MaxCheaters Official Group on Discord
--> Place your ad text here <--

HTML bypass security

HugoBoss
 Share

Recommended Posts

HugoBoss Newbie

HugoBoss

Posted
Posted

Hello,

 

i am new to L2 Servers and i wanted to discuss security about html bypasses.

 

So let's take as an example this class change bypass: 

<a action="bypass -h class_change?class_name=1">Warrior</a>

 

Since this is present on client side, i am thinking that someone could replace the value of class_name to something else and exploit it.

 

So my first questions is; Can someone manipulate the html on the client side?

 

If yes, do you place code on the ai that checks again the response from the client if it is valid?

 

For example let's say that a Human Fighter goes to the class changer.

The class changer calculates the available classes based on his current class and presents him three options: 

<a action="bypass -h class_change?class_name=1">Warrior</a><br>
<a action="bypass -h class_change?class_name=4">Knight</a><br>
<a action="bypass -h class_change?class_name=7">Rogue</a><br>

 

After the client submits his request to change to Warrior, do you still re-check the validity of that request or take as granted that since you provided him these options in the first place, the response that you get from the client is valid and proceed to perform the class change action without further checks?

 

Thanks,

Hugo

 

Anarchy Enthusiast

Anarchy

Posted
Posted

Short answer is it depends on which server you're using.

 

From c4 onwards (and in the c1 server via extenders) the L2Server has built-in protection for html links and bypasses, it caches all links and bypasses sent to the user for the last html and then when a link or bypass is requested it checks if that link or bypass was actually sent to the user.

 

HOWEVER - in the later servers (don't know for sure about GF but 100% for HF) there exists exactly what you are talking about, client-based bypasses and links which are sent as fstring ids to the client rather than the actual bypass string (also some interface-based bypasses for stuff like manor and hero systems), so those cannot be cached and will cause a false flag if you have the bypass/link check turned on, as a result a lot of people (ncsoft included) just don't have that system enabled and so yes for those cases you can change those bypasses in the client to whatever the heck you want and if the AI doesn't have sufficient checks in place then it can cause exploitable issues.

 

ncsoft is hugely susceptible to this and you end up with quests where they don't check if you've actually completed every single step of the quest process and you can finish quests early or in cases from the early days you could just spam a bypass and be given rewards for a quest you were never even on.

 

AI best practice, kinda like web best practice, is to assume that every bypass being received could've been modified by the user and double/triple/quadruple check everything at every stage to be sure what they're requesting is something they're able to request and that they meet the requirements to request it

  • Thanks 1
L2Extreme Apprentice

L2Extreme

Posted
Posted
5 hours ago, HugoBoss said:

Hello,

 

i am new to L2 Servers and i wanted to discuss security about html bypasses.

 

So let's take as an example this class change bypass: 


<a action="bypass -h class_change?class_name=1">Warrior</a>

 

Since this is present on client side, i am thinking that someone could replace the value of class_name to something else and exploit it.

 

So my first questions is; Can someone manipulate the html on the client side?

 

If yes, do you place code on the ai that checks again the response from the client if it is valid?

 

For example let's say that a Human Fighter goes to the class changer.

The class changer calculates the available classes based on his current class and presents him three options: 


<a action="bypass -h class_change?class_name=1">Warrior</a><br>
<a action="bypass -h class_change?class_name=4">Knight</a><br>
<a action="bypass -h class_change?class_name=7">Rogue</a><br>

 

After the client submits his request to change to Warrior, do you still re-check the validity of that request or take as granted that since you provided him these options in the first place, the response that you get from the client is valid and proceed to perform the class change action without further checks?

 

Thanks,

Hugo

 

yes, they can manipulate html bypasses on the client side, example adding them on server help html.

these bypasses are from startup system yes? you can fix them by adding stages, setStage(1), setStage(2) and add check for stages on every bypass, then they wouldnt be able to manipulate it.

AlmostGood Enthusiast

AlmostGood

Posted
Posted

you can always change them in client, in tons of different ways, but most of people will just use bot to send custom bypasses directly. If you don't fully validate user input on server side, you are set to fail if just 1 guy finds out.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing


  • Posts

    • SmurfsZone
      SmurfsZone: Your Best Source for League of Legend

      By SmurfsZone · Posted

      This is a  bump
    • reacheap
      wtt harbor 1x for l2reborn 10x new

      By reacheap · Posted

      hello, i want to wtt my charracter in l2elmorelab 1x harbor for 1.5kkk adena in l2reborn 10x new. Or if you interested tell me your offer. :)) Clean Mail 30 lvl Cleric Naked   Updated.
    • Starfire868686
      Multi route walker npc HELP

      By Starfire868686 · Posted

      package ai.npc.NFWalker; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Random; import l2r.gameserver.enums.CtrlIntention; import l2r.gameserver.model.Location; import l2r.gameserver.model.actor.L2Npc; import l2r.gameserver.model.quest.Quest; import l2r.gameserver.network.clientpackets.Say2; import l2r.gameserver.network.serverpackets.NpcSay; public class NFWalkerAI extends Quest { private static final int WALKER_NPC_ID = 20116; private final Map<String, Route> routes = new HashMap<>(); private final Map<Integer, Integer> npcIndexes = new HashMap<>(); private final Map<Integer, Boolean> npcReverse = new HashMap<>(); private final Map<Integer, String> npcCurrentRoute = new HashMap<>(); public NFWalkerAI() { super(-1, NFWalkerAI.class.getSimpleName(), "ai/npc/NFWalker"); loadRoutes(); addSpawnId(WALKER_NPC_ID); } private void loadRoutes() { // Route 1 Data Route route1 = new Route("route1"); route1.addPoint(new RoutePoint(0, 149363, 172341, -941, 0, false, "")); route1.addPoint(new RoutePoint(1, 148568, 172328, -980, 5, true, "Puff")); route1.addPoint(new RoutePoint(2, 148536, 172792, -980, 0, false, "")); // Route 2 Data Route route2 = new Route("route2"); route2.addPoint(new RoutePoint(0, 149363, 172341, -941, 0, false, "")); route2.addPoint(new RoutePoint(1, 150248, 172328, -980, 5, true, "Rise my children! Bring me the servants of the god! Let them be offered to our god Bifrons!")); route2.addPoint(new RoutePoint(2, 150248, 172776, -980, 0, false, "")); // Add routes to the map routes.put("route1", route1); routes.put("route2", route2); } @Override public String onSpawn(L2Npc npc) { if (npc.getId() == WALKER_NPC_ID) { selectInitialRouteForNpc(npc); } return super.onSpawn(npc); } @Override public String onAdvEvent(String event, L2Npc npc, l2r.gameserver.model.actor.instance.L2PcInstance player) { if (event.equalsIgnoreCase("move")) { moveNpc(npc); } else if (event.equalsIgnoreCase("check_reached")) { checkIfReached(npc); } return null; } private void moveNpc(L2Npc npc) { String routeName = npcCurrentRoute.get(npc.getObjectId()); Route route = routes.get(routeName); Integer pointIndex = npcIndexes.get(npc.getObjectId()); if (route != null && pointIndex != null) { RoutePoint point = route.getPoints().get(pointIndex); if (point.isRun()) { npc.setRunning(); } else { npc.setWalking(); } if (!point.getChat().isEmpty()) { npc.broadcastPacket(new NpcSay(npc.getObjectId(), Say2.NPC_ALL, npc.getId(), point.getChat())); } npc.getAI().setIntention(CtrlIntention.AI_INTENTION_MOVE_TO, new Location(point.getX(), point.getY(), point.getZ())); // Log movement intention System.out.println("NPC " + npc.getObjectId() + " moving to " + point.getX() + ", " + point.getY() + ", " + point.getZ()); // Schedule a check to see if the NPC has reached its destination startQuestTimer("check_reached", 1000, npc, null); } } private void checkIfReached(L2Npc npc) { String routeName = npcCurrentRoute.get(npc.getObjectId()); Route route = routes.get(routeName); Integer pointIndex = npcIndexes.get(npc.getObjectId()); if (route != null && pointIndex != null) { RoutePoint point = route.getPoints().get(pointIndex); Location currentLocation = npc.getLocation(); Location targetLocation = new Location(point.getX(), point.getY(), point.getZ()); // Check if the NPC has reached the target location if (currentLocation.equals(targetLocation)) { // Log that the NPC has reached the target System.out.println("NPC " + npc.getObjectId() + " reached target " + targetLocation); // Schedule the next movement startQuestTimer("move", point.getDelay() * 1000, npc, null); if (!npcReverse.get(npc.getObjectId())) { pointIndex++; if (pointIndex >= route.getPoints().size()) { npcReverse.put(npc.getObjectId(), true); pointIndex = route.getPoints().size() - 1; } } else { pointIndex--; if (pointIndex < 0) { npcReverse.put(npc.getObjectId(), false); pointIndex = 0; // Choose a new route after completing the current one in both directions switchRouteForNpc(npc); return; } } npcIndexes.put(npc.getObjectId(), pointIndex); } else { // Check again after 1 second startQuestTimer("check_reached", 1000, npc, null); } } } private void selectInitialRouteForNpc(L2Npc npc) { // Randomly select either route1 or route2 String selectedRouteName = "route" + (new Random().nextInt(2) + 1); npcCurrentRoute.put(npc.getObjectId(), selectedRouteName); npcIndexes.put(npc.getObjectId(), 0); npcReverse.put(npc.getObjectId(), false); startQuestTimer("move", 5000, npc, null); // Log initial route selection System.out.println("NPC " + npc.getObjectId() + " selected initial route " + selectedRouteName); } private void switchRouteForNpc(L2Npc npc) { String currentRoute = npcCurrentRoute.get(npc.getObjectId()); String newRoute = currentRoute.equals("route1") ? "route2" : "route1"; npcCurrentRoute.put(npc.getObjectId(), newRoute); npcIndexes.put(npc.getObjectId(), 0); npcReverse.put(npc.getObjectId(), false); startQuestTimer("move", 5000, npc, null); // Log route switching System.out.println("NPC " + npc.getObjectId() + " switched to route " + newRoute); } private static class Route { private List<RoutePoint> points = new ArrayList<>(); public Route(String name) { } public void addPoint(RoutePoint point) { points.add(point); } public List<RoutePoint> getPoints() { return points; } } private static class RoutePoint { private int id; private int x, y, z, delay; private boolean run; private String chat; public RoutePoint(int id, int x, int y, int z, int delay, boolean run, String chat) { this.id = id; this.x = x; this.y = y; this.z = z; this.delay = delay; this.run = run; this.chat = chat; } public int getId() { return id; } public int getX() { return x; } public int getY() { return y; } public int getZ() { return z; } public int getDelay() { return delay; } public boolean isRun() { return run; } public String getChat() { return chat; } } } I looking for help, with this, the npc not start to move. Im trying to create, an NPC wich have multiple walk routes basic logic is  random pick a route complite the route  like Route 1 start form zero (0 -> 1 -> 2(or more) -> 1 -> 0) When the npc return to 0, the script should pic the other route and start again.  And if there is a message like point 1 here     "route1.addPoint(new RoutePoint(1, 148568, 172328, -980, 5, true, "Puff"));" The npc should display the chat message. Currently my problem is the npc not moving, but if I manage it to start moving its randomly move between the route 1 and 2 set of coordinates. Currently for me its  a nightmare. I hope anyone can help somhow.
    • SXorg
      Proxy Market SX.ORG for any task | Buy and sell IP quickly

      By SXorg · Posted

      We are certainly not an ambulance, but we will definitely cure you of blacklists and empty pockets. Live freely with SX! Each of you will receive a trial version of SX to familiarize yourself with the product, all you have to do is post in this thread
    • arnonvitor
      L2J Developer Services and Bug-fixing for Server Owners

      By arnonvitor · Posted

      qual e o valor pra atualizar o java da soucer ?

  • Topics

×
×
  • Create New...