Web Security Workbook

# Prohibit eval()

"The eval() method should never be used"

# Background

The eval() method can be used to execute a string as JavaScript code. If this string is depending on user input, an attacker could use it to execute arbitrary JavaScript code.

Further methods that should never be used are:

  • exec(), since it allows to execute commands on the system
  • Function constructor, also allows JavaScript execution through strings
  • setTimeout() and setInterval(), if a string is passed as first parameter and not a function

TIP

Usage of linter or SAST tools (see here) to disallow the usage of such functions

Last Updated: 7/3/2022, 3:51:46 PM

Static Application Security Testing (SAST) Tools