Javascript check for eval(), strings only


Functions that evaluate strings as javascript are only a risk when they are actually evaluating and executing strings. However setTimeout and setInterval can can also take function objects and execute them. The 'check for eval()' rule currently catches all uses of these functions. This rule should be fine tuned to more specifically capture only threats.

Actual Threats:
setTimeout("alert('threat 1');", 0);

var s = 'threat 2';
setTimeout(s, 0);

var f = function() {
    return "alert('threat 3');";
setTimeout(f(), 0);
Current False Positives:
setTimeout(function() {
    alert('safe 1');

var f = function() {
    alert('safe 2');


chrisweber wrote Aug 1, 2013 at 8:40 PM

I fully agree - do you have any suggestions for improving the detection as you mentioned? As far as I can tell it would require some advanced logic and likely the use of a javascript interpreter. Thanks for posting this.

I currently use the results to get do a quick sight-check. It's far from perfect but gives me a sense of calls that I might need to dig further into.