Skip to content

Code Injection Using Eval Method

What does this mean ?

The eval() function is used to evaluate a string of characters as code. It creates JavaScript code from that string dynamically, and developers utilize it since the string's contents are unknown in advance. It executes a text as code.

What can happen ?

This attack is comprised of a script that fails to check user inputs in the page parameter. A remote user can give a carefully designed URL that allows arbitrary code to be sent to an eval() instruction, resulting in code execution.

Recommendation

  • Make use of structured procedures. These systems can ensure the separation of data and command automatically.
  • Validate the values of commands and their associated parameters.

Sample Code

Vulnerable :

$vars = "hacker";
$z = $_GET['arg1'];
eval("\$vars = \$z;");

Vulnerable :

eval(document.location.href.substring(document.location.href.indexOf("default=")+10))

References