Hello and welcome to secure JavaScript programming with Vladimir jerky. So we have seen stuff about injecting nodes in a web page in the two previous video of this course which were about reflective dumb based and start slash persistent excesses. So not to put the three previous videos of that course. We've been seeing, it is possible through nodes injection in an html page to reach a state of excesses. Historically is cross site scripting, which is to be mostly about loading an external script from a remote location, that's why it's called that way. And it evolved and now its definition is more running arbitrary JavaScript in an application in a brother. Well, there is actually a greater concept, a bigger concept in excess is that's named remote code injection. Remote code injections happened when you were able to run arbitrary code on a machine that not yours. It's easy to understand that excesses are actually a sub case based on html executable things. Exercises are sub case of L C E S remote code execution. Well, in JavaScript, there are all the ways to obtain remote code execution. Actually, this will not be linked to an html page or any browser capability. We won't inject malformed image today, but we will actually be executing arbitrary code within the JavaScript to a tool machine. So this will be varied for server side JavaScript and Rosa side JavaScript. The question is, are there way to turn an arbitrary string into an executable piece of code in JavaScript? Well, one easy way is to have the browser or not executed directly as a script. But we already said that changing the derm was out of the games this time. So let's fields a simple way of exploiting S C E, for instance, in an express application. So I will create a new app who is index chairs and I will call use strict, of course create a new app And in this app we will create the stupidest endpoint in the world. Because what we do is evil rec that query the train and we do raise that and okay. And to slash and after it listen 88, let's find this piece of code. Let's open a terminal and let's do curl http slash. And what do they name? It ran. Yeah, curl's console clog 10. Okay, because I forget to put support. Here you can see that turn has been logged, that the value we passed as run has been executed. This is like you're very germy piece of code that cools the eval JavaScript method within the controller. And eval is an interesting method because you can pass any string to eat and that will be executed in the concept of JavaScript code. Yeah, well, so if they were in the script, it will print Hello World. Usually you don't use the eval yourself. But there may be some libraries you use, we use it especially in template rendering. Eval is actually pretty popular when you need to run generated script within an application because it's pretty fast in terms of performances. That's why actually a lot of libraries that need to generate could quickly use it under the hood. Eval is one of the worst method you can use in your code and it will actually make sense for you to run right now, render to prevent the use of eval. Eval has something interesting that if you do that, well, the code is executed in the context of the current script. Meaning that if you do that, there will be a side effect. You can access as if you were writing code right here with out eval, you have access to the world's scope. The second known way of building arbitrary script in JavaScript is actually using the function constrictor. I don't know if you were aware but there is actually a constrictor of a function that takes the following signature. First parameters. As strings. And then the body of the function. So let's do return a crispy. And if they do console that logged at F56, it will actually log not a number because a period, it will look 11. This also enables to build arbitrary code from strings. And when manipulating that eval or f our new functions, we use code that is defined by the end user. Well, you are in trouble. Does it have access to the scope? Does it has access to the context where it has been defined? Let's try it. He knows the answer bit. You can see it doesn't. So eval is much more dangerous than using new function because eval actually knows about a global context and function does not. If I love the function itself. Actually, whoop, okay, to string if I logged a code of the function, it generates an anonymous function and concatenate the right things at the right place. No, I'm wondering a lot of things. Eval and new functions out in end user should never be used and if you have to use it, don't use that risk undetonated strings. And if you have to use it still don't use that risk concatenate string with anything coming from the end user. It's borderline impossible to escape inputs safely with that. So make sure that it is not running in no gears, there is even a way to globally disable it and soon there will be a hook being called so you can prevent cutting it. There are two other ways of running arbitrary script in no Gs and the bruiser who had 1000 MGs went first, bruiser for no Js. There is actually a module named Vm. This module is very handy when you want to run arbitrary code. Running context. Yeap, if I do that, which will happen, well, it did not log anything because it did not bind fair council. This module actually allows you to choose what as a global for the execution of the script or whether the documentation of this module state it really it's not a security VM. Everything you run here might a side effects on the rest of the code. So once again don't run arbitrary script with concatenated strings and especially if it comes from the user. Last way to actually run remote code. This one is for the browser is using the import statement. So let's open a web browser. There is a primitive that's named import and that actually accepts a string as a value. Import require specifier. This primitive actually will take a new RL as a parameter and then will execute the script and return the module loaded. So we'll give you an example with Node JS I've got two module named, let's create a new module a little bit in Js export, function F console that log. Hello and now in the main function we will import it but not with the import statement. We could do import if we could do that. And that's a static import meaning it's not really a remote code execution but we cannot so do the following and I would use Doppler, wait a wait top level await. So I'm so proud of that. Yeah or wait import, leave the 10GS. In the browser it will allow to resolve URL's. Meaning that if you use the dynamic import with strings that is concatenated that comes from the user URL will be varied. And if URL is varied then either it can load arbitrary script from the outside. Either it can load data compacted objects and around arbitrary JavaScript. So those four things have shown, eval function constrictor, the VM module and the dynamic import must not be used in a production. And if you do please never use it with any input that comes from the user. You're just opening sinks for anyone to run arbitrary code within your application. Whether that since the browser or Node JS. I'm terribly sorry for the very dramatic cools. But I've seen so many prediction paying pone because of the four methods that I want to make sure that you are aware of it. Thanks so much. Please go watch the CSP headers and trusty tape videos that on the extent of course there are very, very funnier. They have much more funnier than the current one. Thanks a lot. Have a great day.
