Don't use eval, instead call JavaScript Functions using their String name & JavaScript Injection Attacks

Generally, we use the evil eval() method to invoke a JavaScript function whose name is stored in a string variable but there is a better alternative and safe way, which doesn’t require eval().

Let’s assume that we have a function myFunction(str) that takes variable and prints it.

Function myFunction (str) {
str = str || "Anonymous";
console.log("Hello, "+str+"!");
return false;

Now let's declare a variable that has the function name as a string content and another variable that stores the arguments.

// Name of the function to invoke here.
varfnName = "myFunction" 
// The parameter str to pass to this function.
var params = "praveen.science"
// Now let's call the function without using eval.
window [fnName](params);

This can be useful for invoking Google Apps Script functions as well. However, since it is server-side code and not a web browser environment, we use this to refer to the object that contains it.

this [fnName](params);

This way, it's safe to call the functions dynamically and send the parameters dynamically too. So what's wrong in using eval() ? That would be a huge topic to discuss. There's something called as JavaScript injection attacks.

JavaScript injection attacks

Lots of sites, including blogs, accept user input. Visitor are invited to enter values into fields and click a button to submit the web form. This might be a simple as leaving a comment on a blog or purchasing a t-shirt with a stolen design.

The fundamental rule in website development is to NEVER TRUST USER INPUT. To say that another way, you should always assume the data on a web form is intended to harm your site. The bad guys have some clever ways of doing this with a plain ordinary browser; they don’t need elaborate tools to try this type of attack. Furthermore, you only need to fail in one spot on your website and you’re done. The shared computer at the local coffee shop will do just fine for their attack vehicle.

Let’s take a look at a simple blog comment. Imagine that your blog contains a form that takes a name and a comment. You’re expecting visitors to enter a value in both fields and click a button. You might even implement some validation to make sure that both fields have a value before the form can be posted.

Now let us put the fundamental rule described above into play: You should never trust user input. While the form will warn the user when the field is missing, visitors can still enter gibberish and there’s little you can do to stop them. It’s a web form, they’re on the website you gave them, and that’s why you moderate comments on a blog. While it’s healthy to see comments from people who agree and disagree with you, you still try to keep the signal-to-noise ratio at a reasonable level.

JavaScript injection attacks are one of the primary reasons should never trust user input. Let’s suppose the blog saves the web form fields to a database. When subsequent visitors request the blog page, all of the comments are shown in chronological order under the blog post. Pretty typical so far, right? Herein lies the rub: suppose instead of a comment, our nefarious visitor entered the following JavaScript:

Everyone who visits the blog page containing the previous JavaScript is going to see a message box that say’s Hello World. This is an example of one of the most dangerous attacks on the web today. The attack is easy to try and you only need to miss one place on your entire website to be vulnerable.

If a visitor is able to get your web page to execute their JavaScript, they can do some really bad stuff. For example, they could write a JavaScript that let’s them impersonate you and perform every task you can do on the website. All you need to do is visit the page (on your own website) that contains their JavaScript. You’re likely to read the comments on your blog, so that part is fairly easy, right?

Here’s how they do it: After you sign in, lots of websites will issue a temporary token to you in the form of a cookie. Your browser sends this cookie along with each page request in order to validate who you are. If you close your browser, you might have to sign in again and get a new cookie. Alternatively, the website might have issued a more durable cookie. In this case, the website might have instructed the browser to store the cookie for several days. This is how Google keeps you signed in for several days.

Since JavaScript has access to cookies, the JavaScript written by the bad guys can be written in such a way that it sends your cookie to their website. They’ll be waiting for cookies to come in and looking for a juicy one that has a lot of authorization. Once they have it, there’s nothing much you can do, short of turning off the web server. They own your site. Furthermore, ther e’s no email notification of this event. You won’t know about it.

Scary stuff huh?

You need to protect your site from these types of attacks. The best practice is to process every byte from a visitor. You should never show raw content provided by an untrusted user. In this case, untrusted users are everyone but you. Since your at it, why not protect the site from yourself too, just to be sure.

One way of implementing this best practice is to encode fields before they are displayed on the web page. Encoding text will convert turn a < character into to safer equivalent of <; . The JavaScript example above will appear like this: 

This encoded JavaScript will not execute in the browser. If you’re aware of the potential danger here, you’ll delete the comment immediately and review your website for holes. Again, you only have to for get to plug one hole and they’ve got you.

JavaScript injection attacks are a nasty threat to any website that accepts input from visitors. The bad guys already know this, so training the good guys is how we’re going to plug these holes. No doubt they’ll come up with more clever ways of bringing down your site, so keep your skills up to date and spread the knowledge.

Who Are Ronald James?

We are a leading niche digital & tech recruitment specialist for the North East of England. We Specialise in the acquisition of high-performing technology talent across a variety of IT sectors including Digital & Technology Software Development.

Our ultimate goal is to make a positive impact on every client and candidate we serve - from the initial call and introduction, right up to the final delivery, we want our clients and candidates to feel they have had a beneficial and productive experience.

Contact our Team

If you’re looking to start your journey in sourcing talent or find your dream job, you’ll need a passionate, motivated team of experts to guide you. Check out our Jobs page for open vacancies. If interested, contact us or call 0191 620 0123 for a quick chat with our team.

Let's be Friends!

Follow us on our blog, Facebook, LinkedIn, Twitter or Instagram to follow industry news, events, success stories and new blogs releases.



Back to Blog

</Follow Us>