Menu
Arbitrary code execution is when an attacker can convince a target to run arbitrary code not intended by the target's author. When done remotely, it's called remote code execution, and it can be a devastating attack against an online service.
JavaScript certainly can be dangerous, but only when users aren't cautious. Hackers can use it to automatically steal your data without you ever being aware of it. Since JavaScript is so widespread and useful, this can leave you vulnerable to attacks.
Node. js is one such technology that developers use for web application development. It is designed to be completely secure.
An arbitrary code execution (ACE) stems from a flaw in software or hardware. A hacker spots that problem, and then they can use it to execute commands on a target device. Remote code execution vulnerabilities happen when a hacker can launch malignant code across an entire network rather than on one lone device.
I'm contributing to a javascript framework which has the equivalent of the following code:
eval("'" + user_input.replace(/'/g, "'") + "'");
I know this is terrible -- no need to persuade me. What I want to know is, can I inject arbitrary code here?
At first glance the user_input.replace("'", "'") would seem to prevent me from breaking out of the string. However I can pass in newlines e.g. \nalert(123)\n, but then the result is always a syntax error, e.g.
'
alert(123)
'
Is there actually a vector for code injection here, other than just causing a syntax error?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With