Javascript Implied Eval In Timer
Description
Detects potential code injection vulnerabilities in JavaScript timer functions (setTimeout/setInterval) when string arguments are passed. Using strings in these timing functions causes JavaScript to evaluate them as code similar to eval(), which can allow attackers to inject and execute malicious JavaScript.
Detection Strategy
• Check for calls to setTimeout or setInterval functions
• Verify if the first argument (callback) is provided as a string instead of a function reference
• Flag the usage as vulnerable since string arguments get implicitly evaluated, enabling potential code injection
Vulnerable code example
const express = require('express');
const app = express();
app.use(express.json());
app.get('/api/task', (req, res) => {
const userInput = req.query.code;
...✅ Secure code example
const express = require('express');
const app = express();
app.use(express.json());
app.get('/api/task', (req, res) => {
const userInput = req.query.code;
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.