Detecting eval() Usage

G5 Cyber Security

2 weeks ago

TL;DR

Attackers look for signs of eval() usage by observing application behaviour (slow responses, unusual error messages), analysing network traffic for dynamic code patterns, and scanning source code or decompiled binaries. They also use fuzzing techniques to trigger potential eval() calls.

How Attackers Suspect eval() Usage

Observe Application Behaviour:

Slow Responses: eval() can introduce performance bottlenecks. If an application suddenly slows down when processing specific inputs, it could indicate dynamic code execution.
Unusual Error Messages: Errors related to parsing or executing strings (e.g., syntax errors within dynamically generated code) might reveal the presence of eval(). Pay attention to stack traces that point to string manipulation functions before an error.
Inconsistent Responses: If the same input produces different outputs at different times, it suggests dynamic code generation is happening.

Network Traffic Analysis:

Dynamic Code Patterns: Look for network requests that return strings containing JavaScript or other scripting languages. Attackers will examine these responses to see if they contain potentially executable code.
Encoded Data: eval() often receives encoded data (e.g., Base64). Observing the transfer of encoded strings can be a clue.

Source Code Review/Decompilation:

Direct Calls to eval(): The most obvious sign is finding eval() directly used in the source code.
```
if (user_input) {
  eval(user_input);
}
```
Indirect Usage via Functions: Attackers will search for functions that take strings as input and then execute them using eval() or similar methods (e.g., Function constructor).
String Concatenation: Look for code where strings are dynamically built up, especially if user-supplied data is included in the concatenation process. This can be a precursor to eval().
```
let command = "echo '" + userInput + "';";
eval(command);
```

Fuzzing:

Inputting Special Characters: Attackers will provide inputs containing characters that are likely to cause errors if not properly handled by eval() (e.g., single quotes, double quotes, backslashes).
Injecting Code Snippets: They’ll try injecting simple JavaScript code snippets into input fields and observe the application’s response. For example:
```
alert(1);
```
or
```
console.log('XSS');
```
Testing for Error Handling: Fuzzing can reveal how the application handles errors when eval() encounters invalid code, providing clues about its presence and usage.

Web Application Firewalls (WAF) Bypass Attempts:

Testing Common Payloads: Attackers will use payloads known to trigger eval()-based vulnerabilities in other applications, even if the current application has a WAF.
Encoding and Obfuscation: They’ll attempt to encode or obfuscate their payloads to bypass WAF rules that detect simple eval() calls.