In JavaScript development, Eval is often used in dark areas to execute some code that is not intended to be seen by others.
However, Eval has distinct characteristics and no matter what function it implements, it can be easily observed directly, causing people to be alert.
However, Eval can also have mutated forms, such as the following line, which is also Eval, but can you identify it as such?
Mutated Eval:
window[(14).toString(32)+(31).toString(32)+(10).toString(32)+(21).toString(32)]
Execute:
How could such a strange string be Eval? Let's take a look at the technical principle of mutated Eval:
1.Eval() equals to window.eval().
2.Window.eval() equals to window["eval"].
3."eval" can be decomposed into: window["e"+"v"+"a"+"l"].
4."e"+"v"+"a"+"l" can be written as: (14).toString(32)+(31).toString(32)+(10).toString(32)+(21).toString(32).
5.How do we get the characters in 4? It's like this:
parseInt("e",36) = 14;
parseInt("v",36) = 31;
parseInt("a",36) = 10;
parseInt("l",36) = 21;
6.Finally, Eval is transformed into:
window[(14).toString(36)+(31).toString(36)+(10).toString(36)+(21).toString(36)];
Can it still be used normally? Yes, of course.
Here are two examples:
Example 1:
window[(14).toString(32)+(31).toString(32)+(10).toString(32)+(21).toString(32)]("console.log('test');");
Example 2:
window[(14).toString(32)+(31).toString(32)+(10).toString(32)+(21).toString(32)]("var a=1;var b=2;var c=3;console.log(a+b+c);");
Exexute:
Further mutation:
If the above JS code is obfuscated by JShaman JavaScript Obfuscator, more complex forms can be obtained.
window[(748953 ^ 748951)['\x74\x6f\x53\x74\x72\x69\x6e\x67'](239241 ^ 239273) + (151757 ^ 151762)['\x74\x6f\x53\x74\x72\x69\x6e\x67'](430630 ^ 430598) + (671610 ^ 671600)['\x74\x6f\x53\x74\x72\x69\x6e\x67'](930617 ^ 930585) + (944302 ^ 944315)['\x74\x6f\x53\x74\x72\x69\x6e\x67'](186206 ^ 186238)](";)c+b+a(gol.elosnoc;3=c rav;2=b rav;1=a rav"['\x73\x70\x6c\x69\x74']("")['\x72\x65\x76\x65\x72\x73\x65']()['\x6a\x6f\x69\x6e'](""));
At this point, who would have guessed that this was an eval?
Top comments (14)
That's only half-true. For example, JS itself will tell you it's true:
However, calling
evaldirectly and callingwindow.evaldon't always give identical results. This is due to the special semantics of direct eval:Here's a more complete example:
you are right,professional enough.
Got to love how JavaScript can take forms which look more like cryptic magic spells than the actual code 🙃
JavaScript is cool,my favorite programming language.
So true 😂
you can prevent the accidential use of eval by overloading this function:
it's a good idea!
The lesson to learn here would be: anything could be an eval, cut and paste code carefully.
YES!
Eval is great fun, just be careful to never eval on user-supplied strings for security reasons. Even if you sanitize it, there are still likely holes. One of the safe-eval modules on NPM would be helpful if you need to do such a thing.
This is very true, even if you instantiate functions instead of eval, everything is a prototype with access to the Function constructor. Here is the most common occurrence I see.
then a user searches for something like this
eval is also a code smell. devs use it in frameworks and libraries to be clever, but there is no reason to use it. if you're making something to handle user input, you're better off writing a customer parser to handle your specific use case.
It is still not safe. You can use jspython interpreter (jspython.dev) for safe evaluation within JavaScript (browser or NodeJS)
Nice