Java Eval With Untrusted
Description
Detects when untrusted input is passed to JavaScript evaluation engines in Java code, which could allow attackers to execute arbitrary JavaScript code. This creates a significant security risk as malicious JavaScript could access sensitive data or perform unauthorized operations.
Detection Strategy
• Look for method calls that execute JavaScript code (like ScriptEngine.eval(), javax.script.ScriptEngine, etc.)
• Check if the JavaScript code or expressions being evaluated contain or are derived from external input or untrusted data sources
• Flag cases where user-controllable data flows into JavaScript execution methods without proper sanitization or validation
Vulnerable code example
import javax.script.*;
import jakarta.servlet.http.HttpServletRequest;
public class CodeInjectionExample {
public void processUserScript(HttpServletRequest request) throws ScriptException {
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("JavaScript");
...✅ Secure code example
import javax.script.*;
import jakarta.servlet.http.HttpServletRequest;
import java.util.regex.Pattern;
public class CodeInjectionExample {
private final ScriptEngineManager manager = new ScriptEngineManager();
private final ScriptEngine engine = manager.getEngineByName("JavaScript");
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.