need to understand eval in the code for ajax response - javascript

The following code already exists in one of the javascript files i am working , may i know what does the following do
Its jquery ajax , i saw the response result and its a json string which is manually created by the backend.
I want to know what is eval doing here
success: function (response) {
var response= response.replace(/\\/g, "%5C");
eval(response);
},

eval executes the passed in string as if it were javascript code.
What exactly happens depends entirely on the contents of response.
That is, the value of the response variable that is passed to the eval function gets evaluated as normal javascript.
If response was "alert('Hello from evel!');", you would see an alert box with the text "Hello from evel!".

eval() executes a string as JavaScript code in the context of its execution context. Generally, this means scoped to whatever function it is in.
It is often used to evaluate a JSON string. Note that if you are eval()ing a JSON string, you should wrap it in parenthesis (( & )). The parenthesis means it will always be evaluated as an expression, not a block.

Related

Malware JS : meaning of a line of code : (_0x4f64, 550906), document[_0x35e70a(408)](atob(unescape(_0x35e70a(409))))

In an obfuscated js code, I have this line that I can't understand :
(_0x4f64, 550906), document[_0x35e70a(408)](atob(unescape(_0x35e70a(409))));
Could you explain me this code particularly ?
(_0x4f64, 550906), document[_0x35e70a(408)]
_0x35e70a(408)
This is a function call, passing in 408.
document[_0x35e70a(408)]
This accesses a property on the document object.
(_0x4f64, 550906),
This is just a variable and a number, separated by the comma operator. The comma operator says to evaluate them both, and use the result of the last one. So this is just 550906. But then another comma operator connects it to the document access we saw before, so the 550906 gets ignored too. So basically, this does nothing.
Putting it all together: that code calls a function, then uses the return value to access a property on document.

Save JavaScript script text string as function variable to call it

I am fetching a JS script from a server, and getting the following string back:
(function(e){function t(t){for(var r,a,o=t[0],c=t[1] .....
I want to save it as a function variable so I can call it (and pass an argument).
I tried wrapping the string with a return (as suggested here) and then use Function() constructor to call it in order get the original function, but it returns undefined.
How can I do this?
Did you try eval https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval
eval is a function that evaluates even if it is a function in string
something like this
const yourVariable = eval("function fromServerResponse(){console.log('executed');}")

Identify functions in Javascript code, using PHP?

I need to identify the start and end of function definitions (blocks) in Javascript source code, using PHP. I don't need to parse the code, just literally know where the beginning and end of the Javascript code is if I've read it into a PHP string (using file_get_contents() for example, or some other way).
I need to only identify functions defined at the highest level within the global scope of the Javascript code, and also functions defined at that level for JQuery event callbacks, but I need to ignore more embedded functions in the code.
So, e.g.
function my_JS_func()
{
// some code
}
and
$('#button').onclick(click(function(e){
// some code
});
but I need to ignore the $.post callback function in here (but I would pick up func2 as a whole):
function func2()
{
$.post('myURL', {data: mydata}, function(data){
// ignore me
}
}
Obviously I need to identify the text: "function" (unless it's in a string literal for some reason) and I'm assuming I need to keep track of curly braces {} but otherwise, any ideas welcomed!
Many thanks for any suggestions! (Happy to use a PHP lib, 3rd party software or whatever)

Javascript functions embedded in arguments run automatically?

I am investigating defending against various types of attacks and I've found one I don't quite understand.
I have the following html:
<body onload="foo(''/alert(/Gotcha/)/'');">
<script>
function foo(){
alert("Inside Foo");
}
</script>
</body>
</html>
If you run this, you'll see an alert that says "/Gotcha/" followed immediately by one that says "Inside Foo".
What's going on? Why is the alert in the argument (that foo doesn't even have) running?
What's more, if I remove any of those slashes or single-quotes in the argument, it doesn't work.
if I change it to
<body onload="foo('/alert(/Gotcha/)/');">
All I get is "Inside Foo".
if I change it to
<body onload="foo('/alert(Gotcha)/');">
or remove any of the /s I don't get anything.
What is it about the ' and the / that makes this work?
We have a complicated expression there so let's break it up:
foo(''/alert(/Gotcha/)/'');
JS interprets this as a call to a function foo with ''/alert(/Gotcha/)/'' as a parameter (functions in JS do not have hard params, you can send as many as you'd like, even if the function declaration does not specify them)
The parameter is evaluated as the string '' followed by the division character /, followed by the alert function, then another division and another empty string
The parameter for the alert is evaluated since it's not a string, but a regular expression and the string representation is, incidentally, the same as the input regular expression string
The alert is executed with the string representation of the regex to evaluate the parameter for foo and the result of the whole parameter expression is NaN because the strings aren't divisible which doesn't really matter since the function foo does not use it
The function foo is executed.
The reason the argument in the foo call runs is because it is being interpreted as JavaScript. The arguments you are passing in foo(''/alert(/Gotcha/)/'' is essentially 2 strings and in the middle of them is a alert call.
Function arguments are all evaluated before the function is called. So when you write:
foo(alert('/Gotcha/'));
it first evaluates alert('/Gotcha/'), which causes /Gotcha/ to be displayed. Then the return value of alert() is passed as a parameter to foo(). foo() ignores its parameter, but that doesn't matter for the first step.
When you change it to
foo('/alert(/Gotcha/)/');
then the argument is a literal string, not a function call. So evaluating it just returns the string contents, it doesn't call the alert() function.
I can't see any reason why
<body onload="foo('/alert(Gotcha)/');">
would behave any differently from
<body onload="foo('/alert(/Gotcha/)/');">
so I suspect that your actual code has a typo that you didn't copy here. Check your Javascript console for syntax error messages.
Q: "Javascript functions embedded in arguments run automatically?"
A: It has nothing to do with function arguments. The foo function is there to simply add to the confusion of an already obfuscated expression. This is a simply a complicated way of writing an equivalent of:
onload="alert(/Gotcha/)"
which wants to alert the content of /Gotcha/ regex literal.
The regex literal provided in the string of the body onload assignment is simply the passive value of the alert function provided in that same string and has no share in what's going on there.
Everything else is simply a clever way of masking a simple assignment such as the above given onload="alert(/Gotcha/)" line of code.
The only thing that makes it work is the fact that inline event assignments are strings that need to get evaluated in order to get executed.
Therefore eval( ''/alert(/Gotcha/)/'' ) will do the same. Or putting it all back in its original form: eval( "foo(''/alert(/Gotcha/)/'');" ).
So yes, it is possible to execute any kind of string content assigned inline to an element event. But then, so is the setTimeout("foo(''/alert(/Gotcha/)/'');", 1000) capable of doing exactly the same.
So, "no" it has nothing to do with function arguments, but with the parsing of string content to the inline event of document body element.
EDIT:
Inline JavaScript on strings containing html for Images is (for the reasons explained above on why that Gotcha alert works) the most dangerous code injection without the need of user input. That's because image elements can handle onerror events, to which any arbitrary block of code can be executed, as in:
<img
src="http://Idontexist.com/wrongfolder/missingimage.jpg"
onerror="your arbitrary, but well written (malicious) code here!"
>

Hardcode value of a variable in function definition

I have a function that is written on the client side, send to a server as a string, and executed there.
Inside this function I use some, primitive, variable of the client. An example could be
function (obj){
return obj.number == aNumber;
}
where aNumber is an integer variable on the client side, while obj is an object living on the server.
The problem is that being the function executed on the server, the server doesn't have any aNumber variable there, so what I would like to do is to replace aNumber with his actual value, but I don't know how to do that, since the code of the function is actually never executed on the client.
Is there any solution (that possibly doesn't involve parsing the function as String)?
It seems a trivial question but I couldn't find a solution at all.
Since aNumber only exists on the client, that's the only place you can do this.
You can do a substitution (on the client):
var functionString = theFunction.toString();
functionString = functionString.replace(/\baNumber\b/g, aNumber);
...and then send functionString to the server. That assumes this code is running in a context that has access to aNumber, as the function being turned into a string does; and that aNumber is really a number.
But this is a seriously bad idea. Stepping back from the details and looking at the broader picture, I'm sure there's a solution that doesn't involve sending a function to the server to be executed there.

Categories

Resources