I read about the security implications of eval() however there is something I don't get. Imagine a worst case scenario in where eval() is compiling an input box. A hacker could type anything on it and it would get run, but in modern browsers eg: Chrome couldn't he do exactly the same from the console anyway?
Asked
Active
Viewed 281 times
2
-
1about someone doing `eval(something_from_an_ajax_request)`? – Alvin Wong Dec 20 '12 at 05:24
-
2http://stackoverflow.com/questions/197769/when-is-javascripts-eval-not-evil – 001 Dec 20 '12 at 05:28
-
It's not the user, it's what someone else can do with it. If the data that you'd be evaluating can be encoded into the URL, then an attacker can retrieve cookies or redirect the user's browser. Usually you can replace `eval` with a better solution. – Blender Dec 20 '12 at 05:28
-
`eval`ing a `` box is either intended, or bad style, but never a security risk. Worst case would be `eval(location.hash)`. – Bergi Dec 20 '12 at 05:42
-
Thanks, great example. It also seems an eval misstep would be too easy to spot and make use even by the most inexperienced hackers. I'll try to avoid it. – lisovaccaro Dec 20 '12 at 06:00
1 Answers
1
Sure, but the user's goal is not to steal his own data.
The danger is that someone else succeed in bringing the malicious code somewhere he knows that an eval will occur on the user's page.
An attack exploiting such an issue is called Cross Site Scripting
An other similar security issue is directly appending HTML which might contain a script tag. For example if you do that while implementing a forum, and the users are allowed to write HTML without any restrictions, they can have script tags executing in other user's pages.
Samuel Rossille
- 18,940
- 18
- 62
- 90