Eval Injection

OWASP 2013-A1 OWASP 2017-A1 CWE-95 WASC-20 WSTG-INPV-11

Eval injection is the injection technique by which, the attacker can send custom URL to the eval() function. this function can also run operating system commands. This server does not properly validate user inputs in the page parameter. A PHP language, it has a function that accepts a string and runs that in that language. This function is eval().

Example

The following is an example of eval injection:-

        $beaglevar = "beaglename";
        $z = $_GET['arg1'];
        eval("\$beaglevar = \$z;");

    

Impact

This vulnerability can have the following impacts:-

  • Data Breach
  • Loss of sensitive information
  • The attacker can get full control over the server.
  • Exploiting databases

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Use a structured mechanisms. These mechanisms can automatically enforce the separation between data and command.
  • validate the values for commands and their relevant arguments.

Related Articles