利用 JavaScript 的 eval() 方法
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18189496/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Exploiting JavaScript's eval() method
提问by Jared Nielsen
Many developers believe that JavaScript's eval()method should be avoided. This idea makes sense from a design perspective. It is often used as an ugly workaround when a simpler, better option is available.
许多开发人员认为eval()应该避免使用 JavaScript 的方法。从设计的角度来看,这个想法是有道理的。当有更简单、更好的选项可用时,它通常被用作一种丑陋的解决方法。
However, I do not understand the concerns about security vulnerabilities. Certainly, running eval()gives the hacker the ability to run any JavaScript code that you can run.
但是,我不明白对安全漏洞的担忧。当然,运行eval()使黑客能够运行您可以运行的任何 JavaScript 代码。
But can't they do this anyway? In Chrome, at least, the Developer Tools allow the end-user to run their own JavaScript. How is eval()more dangerous than the Developer Tools?
但无论如何他们不能这样做吗?至少在 Chrome 中,开发者工具允许最终用户运行他们自己的 JavaScript。为什么eval()比开发者工具更危险?
回答by SilverlightFox
As B-Con mentioned, the attacker is not the one sitting at the computer so could be using the eval()already in your script as a means to pass malicious code to your site in order to exploit the current user's session in someway (e.g. a user following a malicious link).
正如 B-Con 所提到的,攻击者不是坐在计算机前的人,因此可能会使用eval()脚本中已有的作为将恶意代码传递到您的站点的手段,以便以某种方式利用当前用户的会话(例如,用户关注恶意链接)。
The danger of eval()is when it is executed on unsanitised values, and can lead to a DOM Based XSSvulnerability.
危险eval()在于当它在未经处理的值上执行时,可能导致基于 DOM 的 XSS漏洞。
e.g. consider the following code in your HTML (rather contrived, but it demonstrates the issue I hope)
例如,考虑您的 HTML 中的以下代码(相当人为,但它展示了我希望的问题)
<script>
eval('alert("Your query string was ' + unescape(document.location.search) + '");');
</script>
Now if the query string is ?fooyou simply get an alert dialog stating the following: Your query string was ?foo
现在,如果查询字符串是,?foo您只会收到一个警告对话框,说明以下内容:Your query string was ?foo
But what this code will allow a user to do is redirect users from their site to a URL such as http://www.example.com/page.htm?hello%22);alert(document.cookie+%22, where www.example.com is your website.
但是这段代码将允许用户做的是将用户从他们的站点重定向到一个 URL,例如http://www.example.com/page.htm?hello%22);alert(document.cookie+%22,其中 www.example.com 是您的网站。
This modifies the code that is executed by eval()to
这会修改由eval()to执行的代码
alert("Your query string was hello");
alert(document.cookie+"");
(New lines added by me for clarity). Now this could be doing something more malicious than showing the current cookie value, as the required code is simply passed on the query string by the attacker's link in encoded form. For example, it could be sending the cookie to the attacker's domain in a resource request, enabling the authentication session to be hiHymaned.
(为了清楚起见,我添加了新行)。现在这可能比显示当前 cookie 值更恶意,因为所需的代码只是通过攻击者的链接以编码形式传递到查询字符串上。例如,它可能在资源请求中将 cookie 发送到攻击者的域,从而使身份验证会话被劫持。
This applies to any value from user/external input that is unsanitised and executed directly in the eval(), not just the query string as shown here.
这适用于来自用户/外部输入的任何未清理并直接在 中执行的值eval(),而不仅仅是此处显示的查询字符串。
回答by B-Con
An attacker doesn't have access to the user's browser's Developer Tools. The attacker is likely not the user sitting at the computer.
攻击者无权访问用户浏览器的开发人员工具。攻击者很可能不是坐在电脑前的用户。
The danger of eval()is that an attacker may be able to manipulate data that is eventually run through eval()in other ways. If the eval()'d string comes from an HTTP connection, the attacker may perform a MITM attack and modify the string. If the string comes from external storage, the attacker may have manipulated the data in that storage location. Etc.
危险eval()在于攻击者可能能够操纵最终eval()以其他方式运行的数据。如果eval()'d 字符串来自 HTTP 连接,攻击者可能会执行 MITM 攻击并修改字符串。如果字符串来自外部存储,攻击者可能已经操纵了该存储位置中的数据。等等。
