10

I'm using Node.js and Socket.io. I've written an application which can send JavaScript snippets from the server and execute them on the client. The JavaScript is sent via Secure WebSocket (WSS), and the client has a listener which will execute any code passed to it via the server.

This short script demonstrates the principle: http://jsfiddle.net/KMURe/ and you can think of the onScript function as the socket listener.

Question

What security protocols can I put in place to make this transaction safe? Would a secure websocket channel make it difficult for a third party to act as a middle man (altering the code before it's sent to the client)?

Some Use Cases..

  • Dynamically assigned distributed computation.
  • Browser client can dynamically learn from the server.
  • Update browser behavior in unison.
Improve this question
3
  • I don't see why it would be any less secure than HTTPS, but it seems like a strange design. Can't you load all the client scripts up front and have the server just send the name of a function to call? Commented May 7, 2012 at 22:27
  • 1
    Yes this is a valid point. This is mostly an experimental idea, I find it an interesting topic... potentially allowing the web-server to send out code as it likes and for the client to learn from this code. I consider the server to be the teacher, and the clients as students. Commented May 7, 2012 at 22:40
  • That does sound interesting. It sort of sounds like the server will decide what to do next based on how the client responds, so there could be some security concerns specific to your problem domain, depending on what that is exactly, but nothing like MITM attacks I think... the protocol should handle that. Commented May 7, 2012 at 22:46

1 Answer 1

Reset to default
8

eval(), even if you have legit use, is just dangerous. You should avoid using it at all costs. use it with care.

However, if it's really needed, then you can use strict mode via "use strict" command. When eval() is executed in a strict function, the eval's content will not leak in the immediate scope. The code in an eval will be contained in eval() itself (as if it has it's own scope). In the demo, try removing the trailing x and eval() will return undefined.

But still, using eval() is dangerous. It's better if you find alternatives like JSON with custom string commands that will be parsed client-side.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Ironically, the use of JSON in older browsers... requires the use of eval().
@Kolink that counts as one of it's legit uses
Some people would disagree (not me personally, just other people) because you could parse the JSON manually, making eval unnecessary.
The evilness of eval is way overrated. It was labelled evil in the early days because it was used inappropriately to evaluate strings in expressions (and lots of other things) where it simply wasn't necessary. JSON, Function called as a function and so on are all more or less equivalent to eval, just use the right tool for the job.
from my understanding eval() is unsafe when there is potential for malicious injection of code. I want to prevent against this malicious injection through the use of a secure socket channel, also I will ensure anything sent from client to server is sanitized. Does this completely remove the evil from eval? (excuse the pun) :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.