Menu
I was just researching, why using eval() function is bad and I found one reason to be vulnerable for code injection attacks (Post : Why is using the JavaScript eval function a bad idea?).
But my question is, do we necessarily need to be worried about the code injection in javascript? Because, if any user want to run any JS script for a website, he can do it by running in console.
So, I'm just wondering, what extra harm it may do, if anyone is successful to inject his code in my javascript code?
EDIT
Based on Oleander's answer below, I found one way of vulnerability when we have communications between the browser and the server through AJAX calls. That makes perfect sense. But I may have Javascript programs which only run in the browser and do not have any communications to the backend, for example a Calculator or a Simple Game. So my supplementary question here, is there any other reason which can make these programs vulnerable too?
848
A JavaScript injection attack is a type of attack in which a threat actor injects malicious code directly into the client-side JavasScript. This allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.
Code Injection. Code injection can used by an attacker to introduce malicious code into a vulnerable computer program and change the course of execution. All software takes some sort of input – a secure program should treat all input from an external source as “untrusted” until proven otherwise.
Code injection is a technique that a threat actor uses to input or inject malicious code which takes advantage of a validation flaw in the software. Code injection is also known as remote code execution (RCE).
Impacts of code injection If a code injection vulnerability exists in an application, the security impact is that an attacker is able to execute arbitrary server-side code. The ability to execute server-side code can result in a total loss of integrity, availability, and confidentiality within the application.
Security problems occur when a hacker injects harmfull code into a JSON request made by a user, which is then evaluated using eval.
Imagine the following code is being ran
$.get("/get.json", function(data){
var obj = eval(data) // String to javascript object
});
The resource looks like this
GET /get.json
{
some: "data"
}
But an attacker replaces the above with using a man in the middle attack
function(){
// send window.cookie to attacker
}();
The attacker now have access to the users session.
170
Well if your code takes a value from the query string and uses it in an eval, an attacker could entice their victim to visit the URL containing the evil query string.
From OWASP:
<script>
function loadObj(){
var cc=eval('('+aMess+')');
document.getElementById('mess').textContent=cc.message;
}
if(window.location.hash.indexOf('message')==-1)
var aMess="({\"message\":\"Hello User!\"})";
else
var aMess=location.hash.substr(window.location.hash.indexOf('message=')+8);
</script>
The attacker could send an email containing a link or redirect a user visiting their malicious site to the URL
http://example.com/page.html?message=<img onerror="alert(xss)">
Then you have a DOM based XSS attack.
If your game with no backend is on a site with other sensitive information on it, such as user sessions, then it might be possible for the attacker to steal session cookies or grab credentials. It all depends on what the JavaScript has access to. That is, it will have full access to its hosting domain because the Same Origin Policy will restrict it to that. However, if you have other sensitive applications here then they could be compromised. If not, then at worst the attacker could abuse the trust a user has in your site by altering content or monitoring what users do on your site.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
