16

I was just researching, why using eval() function is bad and I found one reason to be vulnerable for code injection attacks (Post : Why is using the JavaScript eval function a bad idea?).

But my question is, do we necessarily need to be worried about the code injection in javascript? Because, if any user want to run any JS script for a website, he can do it by running in console.

So, I'm just wondering, what extra harm it may do, if anyone is successful to inject his code in my javascript code?

EDIT
Based on Oleander's answer below, I found one way of vulnerability when we have communications between the browser and the server through AJAX calls. That makes perfect sense. But I may have Javascript programs which only run in the browser and do not have any communications to the backend, for example a Calculator or a Simple Game. So my supplementary question here, is there any other reason which can make these programs vulnerable too?

Community
  • 1
  • 1
Tᴀʀᴇǫ Mᴀʜᴍᴏᴏᴅ
  • 4,151
  • 1
  • 19
  • 54
  • 2
    Code injections are harmful when they are made by someone else than the user. Are you sure your user is the only one who controls the argument of the `eval`? – Bergi Dec 14 '15 at 05:06
  • When I am talking about the javascript, it should be the user who, can only modify the inputs (in forms). I am not sure about any other way. Do you have any more possible example? – Tᴀʀᴇǫ Mᴀʜᴍᴏᴏᴅ Dec 14 '15 at 05:08
  • @TareqMahmood I posted one example – Linus Oleander Dec 14 '15 at 05:17
  • 3
    Injecting JavaScript code in a browser is also known as Cross-Site Scripting. – Gumbo Dec 14 '15 at 05:49
  • Not only ajax calls. The main threat is stealing your user's cookies (therefore session). If your website requires any kind of login, then it's a threat. If not then it's not a threat. But 90% of all web applications use some sort of login. Or if you're actually writing javascript for a living instead of just your own personal hobby, then 100% of all web apps require some sort of login. These days it's also popular to login via Facebook so you risk not only your user's account but also his/her Facebook account. – slebetman Dec 14 '15 at 05:58
  • @Gumbo That's a good point too (assuming that we are sending / storing data into backend). – Tᴀʀᴇǫ Mᴀʜᴍᴏᴏᴅ Dec 14 '15 at 06:01
  • @slebetman I didn't understand your point until I read SilverlightFox's answer in detail. Thanks. – Tᴀʀᴇǫ Mᴀʜᴍᴏᴏᴅ Dec 15 '15 at 23:02

2 Answers2

7

Security problems occur when a hacker injects harmfull code into a JSON request made by a user, which is then evaluated using eval.

Imagine the following code is being ran

$.get("/get.json", function(data){
  var obj = eval(data) // String to javascript object
});

The resource looks like this

GET /get.json
{
  some: "data"
}

But an attacker replaces the above with using a man in the middle attack

function(){
  // send window.cookie to attacker
}();

The attacker now have access to the users session.

Linus Oleander
  • 17,746
  • 15
  • 69
  • 102
  • Thanks. I understand about it now. But my original thinking was about a JS based frontend game or calculator, which doesn't use any communications to the server. Do you think there may be possible cause of risk in that programs? – Tᴀʀᴇǫ Mᴀʜᴍᴏᴏᴅ Dec 14 '15 at 05:20
  • @TareqMahmood it's always a best practice to follow best practices. If you make a habit of cutting corners or not learning about possible security implications upfront, you are going to continue those practices when you progress into a server/client type project. The `eval()` function is for getting access to Javascript's compiler and is wrongly used in a variety of situations. Note, eval also has a poor performance implication. – Sean Perkins Dec 14 '15 at 05:52
  • @TareqMahmood I could be wrong, but I am pretty sure this has nothing to do with a "man in the middle attack". – Sverri M. Olsen Dec 14 '15 at 06:00
  • @SverriM.Olsen Why not? I was thinking about a possible use case when we get some lines of js code from backend through AJAX which we will run through `eval()` function. What if someone in the middle change our line of js code to something which will send some data from the user to that person by another ajax call? – Tᴀʀᴇǫ Mᴀʜᴍᴏᴏᴅ Dec 14 '15 at 06:05
  • -1. This answer makes no sense. If the attacker is capable of execution MitM, you don't need to worry about `eval` at all. – Bergi Dec 14 '15 at 18:46
  • @Bergi Care to explain why? Note that the main goal here is to evaluate arbitrary code on the client side and that you might not have the ability to manipulate requests made to the same host (due to an ssl connection) – Linus Oleander Dec 14 '15 at 19:56
  • @Oleander: If you mean to MiM a http connection on a https site that uses `eval`, that might be a valid point but the mixed content should be a higher concern than the `eval`. And alltogether, that's still not what XSS is really about. – Bergi Dec 14 '15 at 20:08
  • 1
    @Bergi Could you please explain you down vote in more detail? I'm here to learn so it would be interesting to understand why. – Linus Oleander Dec 14 '15 at 20:39
4

Well if your code takes a value from the query string and uses it in an eval, an attacker could entice their victim to visit the URL containing the evil query string.

From OWASP:

<script>
function loadObj(){
 var cc=eval('('+aMess+')');
 document.getElementById('mess').textContent=cc.message;
}

if(window.location.hash.indexOf('message')==-1)
  var aMess="({\"message\":\"Hello User!\"})";
else
  var aMess=location.hash.substr(window.location.hash.indexOf('message=')+8);
</script>

The attacker could send an email containing a link or redirect a user visiting their malicious site to the URL

http://example.com/page.html?message=<img onerror="alert(xss)">

Then you have a DOM based XSS attack.

If your game with no backend is on a site with other sensitive information on it, such as user sessions, then it might be possible for the attacker to steal session cookies or grab credentials. It all depends on what the JavaScript has access to. That is, it will have full access to its hosting domain because the Same Origin Policy will restrict it to that. However, if you have other sensitive applications here then they could be compromised. If not, then at worst the attacker could abuse the trust a user has in your site by altering content or monitoring what users do on your site.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
  • But my other point was to know about the possible threat if we only work with user inputs. We may have sensitive information in cookie. But what if we don't use eval for URL params but we use for only user input. For example a calculator where the user inputs two number and we do add / sub / mul / div between them by using eval function. – Tᴀʀᴇǫ Mᴀʜᴍᴏᴏᴅ Dec 15 '15 at 23:12
  • 1
    That is one the cases where `eval()` would be acceptable. It's when, say later, you allow permalink functionality to specific equations that this would be a problem `example.com?calc=4+4` (`4+4` URL component encoded of course). – SilverlightFox Dec 17 '15 at 09:20