2

I am creating a website that will demonstrate the dangers of XSS. Users will attempt to get JavaScript to execute using an XSS vulnerability.

However, I am running into problems in determining if JavaScript is actually being executed so that I can record that the user was successful. I will be running these checks on a node.js server.

I originally planned to run eval on the parts which would contain JavaScript if the user was successful, but thought that this would be too dangerous as it would be running on the server-side and could get the server exploited.

Are there any ways to using JavaScript to validate if a string is valid JavaScript other than running eval? Or is there a way to run eval without putting my server at risk?

Improve this question

3 Answers 3

Reset to default
5

You could use the esprima javascript parser to see if the string is valid javascript syntax.

Install using npm install esprima.

To use:

var esprima = require('esprima');

var userStringToTest = 'var a = 10;';

var isValid = isValidJs(userStringToTest);

if(isValid) {
  console.log('its valid!');
}
else {
  console.log('its NOT valid!');
}

function isValidJs(testString) {
  var isValid = true;
  try {
    esprima.parse(testString);
  }
  catch(e) {
    isValid = false;
  }
  return isValid;
}

As @FelixKing pointed out in his comment, this of course won't detect runtime errors. For your use case though, it sounds like you should be testing for syntax errors as opposed to runtime errors since that is both more strict and there really shouldn't be valid javascript syntax to begin with.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Of course this will only detect syntax errors, not runtime errors. Depends on what the OP means by "valid JavaScript" I guess.
1

What you need is a JavaScript sandbox, which will isolate their code from the code running it.

There are several to choose from. I've used "Sandbox" before: http://gf3.github.io/sandbox/

Execute their code in the sandbox, see if there were errors, return the output.

Improve this answer

Comments

0

Google Caja would be a good solution for this.

The Caja Compiler is a tool for making third party HTML, CSS and JavaScript safe to embed in your website.

There are multiple wrappers that will let you run it on a node server, such as this one: https://github.com/theSmaw/Caja-HTML-Sanitizer

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.