The Evils of Eval

[article]
Summary:

If you're a developer who uses JavaScript, or if you know one who does, Bryan Sullivan has some advice for you: take a few moments to acquaint yourself with the dangers of eval and its related functions, then learn to better secure your applications from attackers. In this article, he compares the command to other major security issues like buffer overflows, SQL injection, and cross-site scripting.

If you've ever wanted to learn how to hack software applications, there's basically only one rule you need to follow: get the application to treat your input as code. It sounds simple, but almost every major vulnerability works on exactly this principle. Buffer overflows are exploited by getting the target application to treat input as assembly code and run it. SQL injection vulnerabilities are exploited by getting the application to treat input as SQL code. Cross-site scripting (which should have been named "JavaScript Injection," in my opinion) is just input treated as script and executed on the victim's browser. With all the effort our industry goes through to keep these vulnerabilities out of code, it makes no sense to design applications explicitly to accept untrusted input and execute it as code. Yet, that is exactly what developers do when they write applications that use the JavaScript eval command.

In a nutshell, the eval command takes whatever string you pass it as an argument, then compiles that string, and executes it. There are all kinds of problems with this design pattern: it has poor performance,  uses too much memory, and is difficult to maintain. Let's focus on the security aspects. If an attacker is able to inject arbitrary script code into an input and get eval to execute that code, that is essentially the equivalent of the impact of a successful cross-site scripting attack. In my previous column, “Show Some Respect to Cross-Site Scripting,” I wrote about how cross-site scripting attacks can have extremely serious consequences, ranging from enabling phishing attacks to session hijacking and even self-propagating Web worms. Again, all of these attacks are still possible when executed through an eval injection.

Hopefully I"ve convinced you that using eval is a bad idea, and you're about to go scour your code looking for instances of it. That's a good start, but eval has cousins that go under different

Tags: 

About the author

Bryan Sullivan's picture Bryan Sullivan

Bryan Sullivan is a security program manager on the Security Development Lifecycle (SDL) team at Microsoft. He is a frequent speaker at industry events, including Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on Web application security topics. His first book, Ajax Security was published by Addison-Wesley in 2007.

StickyMinds is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, TechWell.com is the place to go for what is happening in software development and delivery.  Join the conversation now!

Upcoming Events

Sep 22
Oct 12
Nov 09
Nov 09