Saturday, January 9, 2016

What is Dynamic Code Evaluation Attack ?

In PHP, there is a function eval(), which is used to evaluate a string.

For example,

$to = 'Adam';
$from = 'Bob';
$string = 'Hi $to, it is $from here.”
echo $string. “\n”;
eval("\$string = \"$string\";");
echo $string. “\n”;

In the above piece of code, $to and $from will be replaced by 'Adam' and 'Bob' in the eval() function.

So, the output will be :

Hi $to, it is $from here.
Hi Adam, it is Bob here.

A Dynamic Code Evaluation attack is an attack, in which all or part of the input string of eval() gets maliciously controlled by the attacker.

For example, let's consider this piece of code :

$name = 'Adam';
$string = $_GET['arg'];
eval("\$name = \"$string\";");

Here, $string is an input taken from a user and then, the value is assigned to $name.

But, suppose an attacker gives as input 'noname ; system(“ls”)'.

Then, $string will be assigned 'noname; system(“ls”)' and inside the eval() function 'ls' will get called, revealing the list of files in the directory. The attacker may even update, delete or see sensitive files in the server using this vulnerability. And, this is how a Dynamic Code Evaluation attack is perpetrated.

How to prevent Dynamic Code Evaluation Attack ?

We can avoid the usage of eval() as far as possible. The usage of eval() is actually normally discouraged. Try to implement the functionality with some other function.

But, if you think, you must use eval(), then make sure user provided inputs are not directly used as input of eval() function. Instead, we should process the input string and discard suspicious characters carefully and then use it.

So, beware of all the security vulnerabilities and stay safe, stay secured.

No comments:

Post a Comment