利用JavaScript的eval()方法 [英] Exploiting JavaScript's eval() method
问题描述
许多开发人员认为应该避免使用JavaScript的 eval()方法。从设计的角度来看,这种想法很有意义。当可以使用更简单,更好的选项时,通常将其用作丑陋的解决方法。
Many developers believe that JavaScript's eval() method should be avoided. This idea makes sense from a design perspective. It is often used as an ugly workaround when a simpler, better option is available.
但是,我不了解有关安全漏洞的问题。当然,运行 eval()使黑客能够运行任何可以运行的JavaScript代码。
However, I do not understand the concerns about security vulnerabilities. Certainly, running eval() gives the hacker the ability to run any JavaScript code that you can run.
但是他们还是不能这样做吗?至少在Chrome中,开发人员工具允许最终用户运行自己的JavaScript。 eval()比开发人员工具更危险吗?
But can't they do this anyway? In Chrome, at least, the Developer Tools allow the end-user to run their own JavaScript. How is eval() more dangerous than the Developer Tools?
推荐答案
正如B-Con所述,攻击者不是坐在计算机上的人,因此可以使用脚本中已经存在的 eval()作为将恶意代码传递给您的方法。网站以某种方式利用当前用户的会话(例如,用户通过恶意链接)。
As B-Con mentioned, the attacker is not the one sitting at the computer so could be using the eval() already in your script as a means to pass malicious code to your site in order to exploit the current user's session in someway (e.g. a user following a malicious link).
eval()的危险是在未经处理的值上执行时,它会导致基于DOM的XSS 漏洞。
The danger of eval() is when it is executed on unsanitised values, and can lead to a DOM Based XSS vulnerability.
例如请考虑在HTML中使用以下代码(人为设计,但可以演示我希望的问题)
e.g. consider the following code in your HTML (rather contrived, but it demonstrates the issue I hope)
<script>
eval('alert("Your query string was ' + unescape(document.location.search) + '");');
</script>
现在,如果查询字符串为?foo 您只需得到一个警告对话框,说明以下内容:您的查询字符串是?foo
Now if the query string is ?foo you simply get an alert dialog stating the following: Your query string was ?foo
但是此代码将允许用户要做的就是将用户从其站点重定向到URL,例如 http://www.example.com/page.htm?hello%22); alert(document.cookie +%22 ,其中www.example.com是您的网站。
But what this code will allow a user to do is redirect users from their site to a URL such as http://www.example.com/page.htm?hello%22);alert(document.cookie+%22, where www.example.com is your website.
这将修改 eval()到
alert("Your query string was hello");
alert(document.cookie+"");
(为清楚起见,我添加了新行)。现在这可能在做些更恶意的事情而不是显示当前cookie值,因为所需的代码只是通过攻击者的链接以编码形式通过查询字符串传递了,例如,它可以在资源请求中将cookie发送到攻击者的域,从而使身份验证会话能够被劫持。
(New lines added by me for clarity). Now this could be doing something more malicious than showing the current cookie value, as the required code is simply passed on the query string by the attacker's link in encoded form. For example, it could be sending the cookie to the attacker's domain in a resource request, enabling the authentication session to be hijacked.
这适用于来自用户/外部输入的,未经验证并直接在 eval()中执行的任何值,而不仅限于此处显示的查询字符串。
This applies to any value from user/external input that is unsanitised and executed directly in the eval(), not just the query string as shown here.
这篇关于利用JavaScript的eval()方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
