Javascript json eval () injection

Question

Javascript json eval () injection

I am making an AJAX chat room with the manual of an AJAX book in which I participate in using the JSON and eval () functions. This chat has a regular chat function and a whiteboard function. When a normal text message comes from a php server in JSON format, javascript in the browser does this:

Without Whiteboard Command -------------------------------------------

function importServerNewMessagesSince(msgid) {
    //loadText() is going to return me a JSON object from the server
    //it is an array of {id, author, message}
    var latest = loadText("get_messages_since.php?message=" + msgid);
    var msgs = eval(latest);
    for (var i = 0; i < msgs.length; i++) {
                    var msg = msgs[i];
                    displayMessage(escape(msg.id), escape(msg.author), escape(msg.contents));
    }   ...

Board drawing commands are sent by the server in JSON format with a special username called "SVR_CMD", now javascript has been slightly changed:

With Whiteboard Team -------------------------------------------- --- ---

function importServerNewMessagesSince(msgid) {
    //loadText() is going to return me a JSON object from the server
    //it is an array of {id, author, message}
    var latest = loadText("get_messages_since.php?message=" + msgid);
    var msgs = eval(latest);
    for (var i = 0; i < msgs.length; i++) {
                    var msg = msgs[i];
                    if (msg.author == "SVR_CMD") {

                        eval(msg.contents);  // <-- Problem here ...

                         //I have a javascript drawLine() function to handle the whiteboard drawing
                        //server command sends JSON function call like this: 
                        //"drawLine(200,345,222,333)" eval() is going to parse execute it
                        //It is a hacker invitation to use eval() as someone in chat room can
                        //insert a piece of javascript code and send it using the name SVR_CMD?

                   else {
                        displayMessage(escape(msg.id), escape(msg.author), escape(msg.contents));
                    }

    }   ...

, SVR_CMD script, javascript, insdead drawLine (200,345,222,333), redirectToMyVirusSite(). eval() . , , eval , , . , , , . JSON ?

. php .net javascriptencode/escape, , JavaScript , eval()? JSON eval() , , ?

,

+3

json javascript eval code-injection

Tom 18 . '12 14:10

3

, , . , - , , ""? {"whiteboard":"drawLine(x,y,z)"} {"author":"SVR_CMD","contents":"drawLine(x,y,z)"}.

, eval() - . . - , , - . ? "escape" , javascript "" - .

message = {
    "author": "...", // carry the information /who/ draws
    "whiteboard": {
         "drawline": [200, 345, 222, 333]
    }
}

(: "drawline" ) easiliy.

eval() , , serveride. , . eval.

+3

Bergi 18 . '12 14:28

Having fixed the eval problem, do not use a field that can be populated by the user - .authorin your code - for authentication purposes. Add another field to your JSON message, say .is_server_command, which, if present, would mean special handling of the message. This field will not depend on user input and thus will not be captured by a "hacker".

+1

Oleg V. Volkov Apr 18 '12 at 14:32

source share

Florian Margaine · Accepted Answer · 2012-04-18T14:19:03+0000

? eval , , -.

JSON javascript, :

var obj = JSON.parse(latest)

, :

[].forEach.call(obj, function( o ) {
    // You can use o.message, o.author, etc.
} )

( javascript → JSON), :

var json = JSON.stringify(obj)

Javascript json eval () injection

More articles: