Dangerous Functions

Insecure Functions

During the code review we can encounter a lot of functions. Among them there can be some that should be implemented in a very secure manner during to their possibilities or should not be implemented at all.

Eval()

Many modern programming languages implement eval() function which is usually used to execute code provided in a string form. Despite that function often work a little bit different in each programming language it is usually very dangerous to the application and underlying OS itself.

Below you can find a few implementations which will give us basic view on the problem:

JavaScript (XSS possibility)

eval("alert(document.domain)") // execute JS code from a String form

PHP (RCE possibility)

eval("echo 2+2;"); // execute PHP code from a String form
eval("echo exec('touch /tmp/EVAL_RCE');") // RCE

// Other dangerous functions
exec(), passthru(), system(), or shell_exec().

Python

eval("__import__('os').system('id')") # RCE via eval

Java

// Java doesn't have raw eval, but RCE often comes from Runtime.exec
Runtime.getRuntime().exec("touch /tmp/JAVA_RCE");

// With scripting engines (JSR-223)
import javax.script.ScriptEngineManager;
new ScriptEngineManager().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec('id')");

Node.js

eval("require('child_process').execSync('id').toString()");

PreviousPrerequisites of Exploitation NextExploitation

Last updated 5 months ago

hashtagInsecure Functions

hashtagEval()

hashtagJavaScript (XSS possibility)

hashtagPHP (RCE possibility)

hashtagPython

hashtagJava

hashtagNode.js