| Details | |
|---|---|
| Alert ID | 220003-1 |
| Alert Type | Tool |
| Status | alpha |
| Risk | High |
| CWE | 94 |
| WASC | |
| Technologies Targeted | All |
| Tags |
CWE-94 OWASP_2021_A03 OWASP_2025_A05 TOOL_PTK |
Summary
Detects dynamic execution of attacker-controlled strings in JavaScript sinks such as eval(), Function(), string-based timers, execScript, or script.text assignments. Exploiting these flows lets attackers execute arbitrary JS without relying on HTML injection.
Generated by OWASP PTK SAST Module
Solution
• Never pass untrusted strings to dynamic code execution APIs (eval, Function, string-based setTimeout/setInterval, execScript). • Prefer callbacks and safe parsers: pass actual functions to timers and use JSON.parse or allow-lists for data-driven logic. • Sanitize and validate any data embedded into script nodes. Treat URL fragments, query parameters, postMessage data, and storage as untrusted. • Consider strict CSP with unsafe-eval disabled to block execution of injected strings during testing.Other Info
References
- https://owasp.org/www-community/attacks/Code_Injection
- https://cwe.mitre.org/data/definitions/94.html