Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

JavaScript eval() Usage on Web Server

Low

Synopsis

The remote web server is hosting JavaScript that utilizes 'eval()'.

Description

The remote web server utilizes JavaScript on its pages. The 'eval()' function evaluates JavaScript code represented as a string, and is often misused. 'eval()' is a dangerous function because it executes the code it's passed with the privileges of the caller. If you run 'eval()' with a string that could be affected by a malicious party, you may end up running malicious code on the user's machine with the permissions of your webpage or extension. Although some implementations of 'eval()' are valid, there are safer and sometimes faster alternatives for common use-cases.

Solution

Evaluate the javascript source code in question for any weaknesses that may put the client or server at risk. If deemed unnecessary, remove any calls to 'eval()' in the affected script.