-
Notifications
You must be signed in to change notification settings - Fork 113
EvalArbitraryCodeExecution
(legacy labels: Attack-Vector)
Execute arbitrary code with access to the global environment, and the local members of the stack frame in which it is called.
eval is described at ES3 15.1.2.1, and parses its argument as a Program, and executes it in its caller's environment.
The Function constructor allows creation of a function given a string body. It will execute in the global scope as described at ES3 section 15.3.2.1
EcmaScript 262 specifically requires that the global eval method be assignable, so it can be replaced. The Function constructor is available via the 'constructor' property of any function object.
EcmaScript 5 attenuates eval somewhat: it has an eval function that may be aliased, but calls to this "indirect eval" always resolve references in the global scope. So, if Function refers to the built-in Function constructor and evil is an alias to eval, evil('(' + x + ')') ≡ (new Function('return ' + x))() for all strings x that are well formed javascript expressions.
window.eval and/or the Function constructor are accessible and callable. The function constructor is available if any function is available and a function's constructor property is readable.
All interpreters that obey the referenced sections of EcmaScript.
eval('alert("your cookie is " + document.cookie)');
(new Function('alert("your cookie is " + document.cookie)'))();