0

I'm making a web application that needs to use logical statements written by the administrators. These will originally be stored in a database on the server, but will be loaded and evaluated client side.

var success = false;
var apples = 15;
eval (logic_from_server);
// where logic_from_server might be "success = apples > 10";

My question is now, could eval be exploited even though the string comes from the server and is never changed by another user. Could someone open the Chrome console and change the value of apples to a string which then executes some xmlHttpRequest and retrieves information from the server?

I.e. are the permissions granted to the eval() in my code different from what is granted to the Chrome console itself, so some code run through eval would be able to do more harm than code run directly in the console?

I mean, I could just type into the console "eval ('some evil code')" - is this different than modifying the string sent to the eval which is originally embedded in my code?

Are there any other security risks with using eval for the purpose I describe above?

[EDIT]

Adding after first 2 answers just to be completely clear:

I read in many places that you should never use eval() on user submitted text. But a user with bad intentions could easily submit text to my eval() by going to Chrome console and type apples = "false; {..INSERT_EVIL_CODE..} ;apples ";. So my question is - is this any more harmful than typing the EVIL_CODE directly into the console of chrome?

Ylor
  • 693
  • 1
  • 5
  • 10
  • https://stackoverflow.com/questions/13840429/what-is-the-difference-between-client-side-and-server-side-programming it should not be possible unless you have a unsecure server side, the client side does nothing to your server side – BlackNetworkBit Sep 07 '18 at 10:14
  • nop it should not – SomethingCool Sep 07 '18 at 10:33
  • Thank you for your replies! Just to make sure: I readn in many places that you should never use eval() on user submitted text. But a user with bad intentions could easily submit text to my eval() by going to Chrome console and type ' apples = "false; {..INSERT_EVIL_CODE..} ;apples "; '. So my question is - is this any more harmful than typing the EVIL_CODE directly into the console of chrome? – Ylor Sep 07 '18 at 10:56
  • Are you trying to protect your server data from evil users, your users from your admins, or your users from each other? – Bergi Sep 07 '18 at 11:58
  • No, `eval`ing strings in your application is just the same what happens when you put code in the devtools console. Ensure that the code doesn't harm the current user, or tries to impersonate him (which everyone is free to do to oneself - it's only evil to do it to someone else). – Bergi Sep 07 '18 at 11:59
  • @Bergi I'm not worried about the admins. I'm mainly worried about an evil user tries to get access to secret information on the server by some Ajax-command. Of course, I'm also a bit worried about one user stealing info from another user - but this shouldn't be a problem with my approach, right? Unless one user somehow modifies my page appearence and then another user use the modified version on the same computer. But my approach doesn't open my page for remote stealing of another users info, by sending a modified link etc, if I understand things correctly? – Ylor Sep 07 '18 at 12:18
  • If only the admins can set the `eval`ed code (and the admins probably could modify plain ` – Bergi Sep 07 '18 at 12:28
  • @Bergi Thank you so much! This is what I hoped for! Makes my application so much easier to develope, if I don't have to make my own logic parser! You say "If only the admins cah set the eval:ed code" - but what do you mean with "set" in this case? As I said before, anyone can change the code being eval:ed by changing the content of the variables referenced in the code-string (se my example with apples above). But if eval inside my script is the same as eval in the console, this clearly doesn't pose any additional threats. – Ylor Sep 07 '18 at 13:30
  • I mean specifically "set the code for *other* users", which is where harm can be caused. Anyone can change the code running on his *own* machine, yes, but that's no threat to your site. – Bergi Sep 07 '18 at 13:39
  • @Bergi Thank you very much! This is exactly what I needed to know! You made my day! – Ylor Sep 07 '18 at 14:02

0 Answers0