Reputation: 4216
Why should we be aware of Code Injection in Javascript?
I was just researching, why using eval() function is bad and I found one reason to be vulnerable for code injection attacks (Post : Why is using the JavaScript eval function a bad idea?).
But my question is, do we necessarily need to be worried about the code injection in javascript? Because, if any user want to run any JS script for a website, he can do it by running in console.
So, I'm just wondering, what extra harm it may do, if anyone is successful to inject his code in my javascript code?
EDIT
Based on Oleander's answer below, I found one way of vulnerability when we have communications between the browser and the server through AJAX calls. That makes perfect sense. But I may have Javascript programs which only run in the browser and do not have any communications to the backend, for example a Calculator or a Simple Game. So my supplementary question here, is there any other reason which can make these programs vulnerable too?
Upvotes: 16
Views: 2464
Answers (2)
Reputation: 33538
Well if your code takes a value from the query string and uses it in an eval, an attacker could entice their victim to visit the URL containing the evil query string.
From OWASP:
<script>
function loadObj(){
var cc=eval('('+aMess+')');
document.getElementById('mess').textContent=cc.message;
}
if(window.location.hash.indexOf('message')==-1)
var aMess="({\"message\":\"Hello User!\"})";
else
var aMess=location.hash.substr(window.location.hash.indexOf('message=')+8);
</script>
The attacker could send an email containing a link or redirect a user visiting their malicious site to the URL
http://example.com/page.html?message=<img onerror="alert(xss)">
Then you have a DOM based XSS attack.
If your game with no backend is on a site with other sensitive information on it, such as user sessions, then it might be possible for the attacker to steal session cookies or grab credentials. It all depends on what the JavaScript has access to. That is, it will have full access to its hosting domain because the Same Origin Policy will restrict it to that. However, if you have other sensitive applications here then they could be compromised. If not, then at worst the attacker could abuse the trust a user has in your site by altering content or monitoring what users do on your site.
Upvotes: 4
Reputation: 18127
Security problems occur when a hacker injects harmfull code into a JSON request made by a user, which is then evaluated using eval.
Imagine the following code is being ran
$.get("/get.json", function(data){
var obj = eval(data) // String to javascript object
});
The resource looks like this
GET /get.json
{
some: "data"
}
But an attacker replaces the above with using a man in the middle attack
function(){
// send window.cookie to attacker
}();
The attacker now have access to the users session.
Upvotes: 7
Related Questions
- Preventing HTML and Script injections in Javascript
- Injecting javascript in JSON and security
- Difference between Javascript Injection and XSS
- Is this dangerous Javascript?
- Javascript Injected in browser
- Javascript security problem
- Preventing Javascript Injection(not sure if it is js injection)
- How to prevent JavaScript Injection Attacks
- allowing any javascript to be injected on my page. What's the risk?
- Filtering out Javascript injection