JavaScript eval() Usage on Web Server

Low Nessus Network Monitor Plugin ID 5723


The remote web server is hosting JavaScript that utilizes 'eval()'.


The remote web server utilizes JavaScript on its pages. The 'eval()' function evaluates JavaScript code represented as a string, and is often misused. 'eval()' is a dangerous function because it executes the code it's passed with the privileges of the caller. If you run 'eval()' with a string that could be affected by a malicious party, you may end up running malicious code on the user's machine with the permissions of your webpage or extension. Although some implementations of 'eval()' are valid, there are safer and sometimes faster alternatives for common use-cases.


Evaluate the javascript source code in question for any weaknesses that may put the client or server at risk. If deemed unnecessary, remove any calls to 'eval()' in the affected script.

See Also

Plugin Details

Severity: Low

ID: 5723

File Name: 5723.prm

Family: Policy

Published: 2010/12/07

Modified: 2016/11/28

Dependencies: 1442

Risk Information

Risk Factor: Low