1

I want to know the list of functions which are used to evaluate strings to code. For example: in PHP we have the eval function which evaluates a string to PHP code. Input passed into eval without filtering could be used as remote code execution by a user/attacker.

So I'd like suggestions for additions of such functions to compile a list of commonly-used server-side programming languages? (Java, Python, PHP and Rails for a start)

Basically my use case is to do white box testing on different platforms, and I want to make sure that I am not missing any functions that could cause code execution on server side.

Fluffy
  • 437
  • 2
  • 9
bhartay
  • 89
  • 1
  • 7
  • "... java, python , php , rails **etc**..." - your question is too broad since you will not restrict yourself to a few languages only. Javascript alone has lots of different ways to execute code, at least in the context of the browser. Also "...which are lets say used to evaluate string to code..." is not very specific either since this implies that you also want to know ways outside of string evaluation, i.e. like writing to a file and then loading the file as code. – Steffen Ullrich Apr 18 '16 at 06:45
  • A simple function list will not be sufficient, because in many languages there are less-obvious ways how code could be evaluated. Your idea for static analysis will not catch them all. – Arminius Apr 18 '16 at 09:16
  • In LISP and some similar functional PLs one could build an arbitrary string and apply an eval on it for execution as code. – Mok-Kong Shen Apr 18 '16 at 11:32
  • @SteffenUllrich - Javascript would execute client side code i.e. xss, i am particularly interesting in functions which execute server side code when string or any input is given to them. I would appreciate if you can let me know even couple of functions which are alternative of eval in other languages. – bhartay Apr 18 '16 at 11:55
  • @bhartay: please edit your question to make it more clear and less broad instead of putting such information into the comments. It might help to add what your actual use case is, i.e. not that you want to have the list but that you indent to use this information for a specific task. This would make it more clear what you actually need. – Steffen Ullrich Apr 18 '16 at 12:33
  • @SteffenUllrich Done. – bhartay Apr 18 '16 at 12:54
  • @bhartay: much better now. I've voted for reopen, let's see if others agree. – Steffen Ullrich Apr 18 '16 at 14:47
  • @bhartay `Javascript would execute client side code` is not necessarily correct. [Node.js](https://nodejs.org/en/) is a popular client-side, JavaScript platform. – Neil Smithline Apr 18 '16 at 17:52
  • @NeilSmithline - I talked about in general. You are right don't forget node. – bhartay Apr 19 '16 at 06:47

1 Answers1

2

Minor ranting

This is a bit broad, and there may be some that are unknown at present, but there's usually good references out there if you're willing to search for them.

Code execution isn't the only problem. You want to be careful of things that can lead to code execution.

However, and as always, it's important to study these functions to see what they're capable of, rather than just blanket-rejecting them as a vulnerability - especially when there are often legitimate uses for them.

As a penetration tester, your job is to prove there is a vulnerability by creating a Proof of Concept, unless it's glaringly obvious, such as a SQL injection.

Give me the list of all of them!

You want to list all of them? Well, I'm not sure we have such a list... but how about many of them?

  1. PHP - Exploitable PHP Functions
  2. Java - Exploitable Java Functions
  3. Python - Exploitable Python Functions
  4. Ruby on Rails Cheat Sheet
Community
  • 1
Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91