The Evils of Eval


If you're a developer who uses JavaScript, or if you know one who does, Bryan Sullivan has some advice for you: take a few moments to acquaint yourself with the dangers of eval and its related functions, then learn to better secure your applications from attackers. In this article, he compares the command to other major security issues like buffer overflows, SQL injection, and cross-site scripting.

If you've ever wanted to learn how to hack software applications, there's basically only one rule you need to follow: get the application to treat your input as code. It sounds simple, but almost every major vulnerability works on exactly this principle. Buffer overflows are exploited by getting the target application to treat input as assembly code and run it. SQL injection vulnerabilities are exploited by getting the application to treat input as SQL code. Cross-site scripting (which should have been named "JavaScript Injection," in my opinion) is just input treated as script and executed on the victim's browser. With all the effort our industry goes through to keep these vulnerabilities out of code, it makes no sense to design applications explicitly to accept untrusted input and execute it as code. Yet, that is exactly what developers do when they write applications that use the JavaScript eval command.

In a nutshell, the eval command takes whatever string you pass it as an argument, then compiles that string, and executes it. There are all kinds of problems with this design pattern: it has poor performance,  uses too much memory, and is difficult to maintain. Let's focus on the security aspects. If an attacker is able to inject arbitrary script code into an input and get eval to execute that code, that is essentially the equivalent of the impact of a successful cross-site scripting attack. In my previous column, “Show Some Respect to Cross-Site Scripting,” I wrote about how cross-site scripting attacks can have extremely serious consequences, ranging from enabling phishing attacks to session hijacking and even self-propagating Web worms. Again, all of these attacks are still possible when executed through an eval injection.

Hopefully I"ve convinced you that using eval is a bad idea, and you're about to go scour your code looking for instances of it. That's a good start, but eval has cousins that go under different


About the author

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.