22-12-2020, 12:38 PM
Javascript eval has been known to cause security problems, but I've never really understood what's the problem with it. How would people use it in a bad way?
What's the problem with eval?
![[+]](https://leakedbb.com/images/collapse_collapsed.png)
23-12-2020, 12:09 AM
eval in any language can cause script injection bugs if you are not careful. When using user input of some kind it can cause a problem.
This can happen in any language like javascript, perl, python, php, shell scripts and so on
A classic issue is writing a ping command which uses a variable called HOST.
ping $HOST
works when the data is ok, but will get issues when using HOST=hostname;rm -rf *
This can happen in any language like javascript, perl, python, php, shell scripts and so on
A classic issue is writing a ping command which uses a variable called HOST.
ping $HOST
works when the data is ok, but will get issues when using HOST=hostname;rm -rf *
28-12-2020, 02:09 AM
It is usually a concert with user inputs only. Since the user can input anything he wants, this can execute arbitrary code. I agree that this is less of a concern in JS, compared to other (server-side) languages.
03-01-2021, 07:53 AM
well, it can lead to XSS when using on the client and it can be a problem in server side with node.js
16-01-2021, 09:56 AM
Additionally to what people have already said about the possibility of code injection of user input is used, it can also lead to bad designs that are hard to debug if you start mixing and matching OS scripts instead of writing JS native code if you can.
20-01-2021, 03:14 PM
Suppose you had a website that performed a search function using JavaScript, and it got the user's search terms from URL parameters. The URL might look something like this:
And suppose the JavaScript handling the search used the eval function, it might look something like this:
The query parameter "this is what i want to search" is fetched from the URL and inserted into the "evalstring" variable. It would look like this:
That string is then passed to eval(). This would cause the someobject.search() function to execute on the search param.
However, imagine if the following URL was used:
When the query parameter gets inserted into evalstring, the final string will look like this:
When eval runs on this string, it will execute the search function, but will also pop up an alert box containing the string "injected". You could replace this alert function with any arbitrary JavaScript you want, and it would get executed by the browser. It could contain a keylogger, or a crypto miner - anything that can be implemented in JavaScript.
Now imagine someone tricked another user into clicking the link above with some malicious JavaScript payload. The user would load the page and immediately execute whatever JavaScript the attacker cooked up for them. That's why it's dangerous to use the eval() function, especially with user input.
Code:
https://example.com?query=this+is+what+i+want+to+searchAnd suppose the JavaScript handling the search used the eval function, it might look something like this:
Code:
var url = new URL(window.location.href)
var searchparam = url.searchParams.get('query')
var evalstring = "someobject.search('" + searchparam + "')"
eval(evalstring)The query parameter "this is what i want to search" is fetched from the URL and inserted into the "evalstring" variable. It would look like this:
Code:
someobject.search('this is what i want to search')That string is then passed to eval(). This would cause the someobject.search() function to execute on the search param.
However, imagine if the following URL was used:
Code:
https://example.com?query=search+this');alert('injectedWhen the query parameter gets inserted into evalstring, the final string will look like this:
Code:
someobject.search('search this');alert('injected')When eval runs on this string, it will execute the search function, but will also pop up an alert box containing the string "injected". You could replace this alert function with any arbitrary JavaScript you want, and it would get executed by the browser. It could contain a keylogger, or a crypto miner - anything that can be implemented in JavaScript.
Now imagine someone tricked another user into clicking the link above with some malicious JavaScript payload. The user would load the page and immediately execute whatever JavaScript the attacker cooked up for them. That's why it's dangerous to use the eval() function, especially with user input.
22-01-2021, 10:09 AM
Hello,
Top user explained good, don't use eval with dynamic content, that leads to security problems or protect it really good.
+
Top user explained good, don't use eval with dynamic content, that leads to security problems or protect it really good.
+