Geek Answers Handbook

Is javascript eval really a big security risk?

Assuming there is no security loophole on the browser side that can be used to modify any computer, I donโ€™t understand how using eval can lead to any real threat.

Can someone explain how this is possible. Someone may display something on the user's computer, but no real harm can be done without redirecting or accepting the download. The server server cannot be corrupted, right?

+4
source share
4 answers

When you take control of JavaScript, it's not just doing it, which can be harmful. With Ajax, you could load a Flash object, either PDF or Java , into the current page. This will not lead to dialogue, and you call plugins (which have much more privileges than the browser itself).

Thus, theoretically, this can do as much damage as the plugins themselves, which is usually quite a lot.

+3
source

JavaScript provides access to many ways to force the browser to send data to the server. They can be used to launch attacks on the server (including denial of service attacks).

+2
source

Any data stored in globally accessible JavaScript variables (by your code or third-party code) is available for code passed to eval .

Depending on what is stored there (for example, user authentication tokens) and how the system is designed, this can cause a lot of damage on the server side.

+1
source

Since eval can lead to code execution, it creates a vulnerability on your site if you are not 100% in control of this code (and this is very rare, or you would not consider eval anyway).

This vulnerability does not necessarily adversely affect your server, but can seriously affect the user, and in some cases, a hacker can steal your user cookies, gain access to his session, and much more.

One simple example is eval, which executes a malicious script that sends a message to your server with all the necessary information for your server to delete or modify user data. Since the request does come from your user session, it is an absolutely correct request.

+1
source

More articles:


All Articles