The Evils of Eval


Can you be certain that the JSON you're parsing is safe, even if you're pulling it from your own server? If the answer to this question is no, you shouldn't be using eval.

As a final thought, I'd like to note that the Microsoft SDL includes a recommendation against using eval and its equivalents.  It suggests using Casaba Security's Watcher tool that I mentioned in More Free Security Tools to help find these in your code. Happy vulnerability hunting!


About the author

Bryan Sullivan's picture Bryan Sullivan

Bryan Sullivan is a security program manager on the Security Development Lifecycle (SDL) team at Microsoft. He is a frequent speaker at industry events, including Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on Web application security topics. His first book, Ajax Security was published by Addison-Wesley in 2007.

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, is the place to go for what is happening in software development and delivery.  Join the conversation now!