使用eval（）在JavaScript中执行用户输入的安全风险 [英] Security risks of using eval() to execute user input in JavaScript

问题描述

我打算为学生们整理一个快速网页，让他们了解JavaScript编程。在这个页面上，我想给他们一个文本框，允许他们运行JavaScript，以便他们可以看到工作语言的动态特性。但是，我很清楚在用户输入上使用eval（）通常是一个非常糟糕的主意。我发布这样的页面会带来什么样的安全风险？我应采取哪些措施来减轻这些风险？

I'm planning on throwing together a quick web page for my students to teach them about JavaScript programming. On this page, I'd like to give them a text box and allow them to run JavaScript so that they can see the dynamic nature of the language at work. However, I'm well aware that using eval() on user input is usually a really bad idea. What kind of security risks am I taking on by publishing a page like this? What steps should I take to mitigate these risks?

推荐答案

您正在承担的安全风险是您正在接受输入来自用户并在您网站上的脚本环境中运行它。想象一下，如果你是一个恶意破解者，无论出于什么原因有完全访问权限修改运行在 JavaScript 上的网站。您可以执行在您的域上运行的JavaScript能够执行的任何操作（包括cookie窃取， XSS ，偷渡式恶意软件等。）。

The security risk you're taking, is that you're taking input from the user and running it in the context of a script on your site. Imagine if you were a malicious cracker that for whatever reason had full access to modify the JavaScript running on a website. You can do anything that JavaScript running on your domain would have the ability to do (including cookie stealing, XSS, drive-by malware, etc.).

您唯一可以现实地做的是减轻风险，而不是eval（）用户提供的内容。试图消毒输入只允许安全输入是注定要失败的;几乎不可能定义什么是安全的，甚至更难以实际限制脚本（假设潜在的攻击者有一种解释性的语言来伪装他的意图）。

The only thing you can realistically do to mitigate the risks is to not eval() user-provided content. Attempts to sanitise the input to only allow "safe" input are doomed to failure; it's almost impossible to define what counts as safe, and even harder to actually limit the script to that (given that the potential attacker has an interpreted language with which to disguise his intentions).

请注意，如果这是出于教育目的，那么一种方法就是确保所有安全漏洞无关紧要。糟糕的JavaScript无法破坏您的服务器或从您的银行帐户中窃取资金（当然，除非它在您银行的网页上）。如果托管该网页的网站没有值得窃取的cookie或会话，并且学生知道它只是一种教育资源，我认为没有什么可担心的。大多数攻击依赖于访问存储在您域中的机密信息，或诱骗域访问者以某种方式放弃机密信息（网络钓鱼攻击或类似攻击）。为了您的目的，我认为您会没事的 - 只是不要在真实的网站上这样做。

Mind you, if this is for educational purposes then one approach is just to make sure that all of the security holes don't matter. Bad JavaScript cannot destroy your server or steal money from your bank account (unless it's on your bank's web page of course). If the site hosting the page has no cookies or sessions worth stealing, and students know it's just an educational resource, I don't think there would be anything to worry about. Most of the attacks rely on accessing confidential information stored on your domain, or tricking domain visitors into giving up confidential information somehow (phishing attacks or similar). For your purposes I think you'll be OK - just don't do it on a "real" website.

这篇关于使用eval（）在JavaScript中执行用户输入的安全风险的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！