Eval Injection

OWASP 2013-A1 OWASP 2017-A1 OWASP 2021-A3 OWASP 2019-API8 PCI v3.2-6.5.1 CWE-95 WASC-20 WSTG-INPV-12

Eval injection is the injection technique by which, the attacker can send custom URL to the eval() function. this function can also run operating system commands. This server does not properly validate user inputs in the page parameter. A PHP language, it has a function that accepts a string and runs that in that language. This function is eval().


The following is an example of eval injection:-

        $beaglevar = "beaglename";
        $z = $_GET['arg1'];
        eval("\$beaglevar = \$z;");



This vulnerability can have the following impacts:-

  • Data Breach
  • Loss of sensitive information
  • The attacker can get full control over the server.
  • Exploiting databases

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Use a structured mechanisms. These mechanisms can automatically enforce the separation between data and command.
  • validate the values for commands and their relevant arguments.

Related Articles