The Eval That Men Do

A Large-Scale Study of the Use of Eval in JavaScript Applications
  • Gregor Richards
  • Christian Hammer
  • Brian Burg
  • Jan Vitek
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6813)


Transforming text into executable code with a function such as JavaScript’s eval endows programmers with the ability to extend applications, at any time, and in almost any way they choose. But, this expressive power comes at a price: reasoning about the dynamic behavior of programs that use this feature becomes challenging. Any ahead-of-time analysis, to remain sound, is forced to make pessimistic assumptions about the impact of dynamically created code. This pessimism affects the optimizations that can be applied to programs and significantly limits the kinds of errors that can be caught statically and the security guarantees that can be enforced. A better understanding of how eval is used could lead to increased performance and security. This paper presents a large-scale study of the use of eval in JavaScript-based web applications. We have recorded the behavior of 337 MB of strings given as arguments to 550,358 calls to the eval function exercised in over 10,000 web sites. We provide statistics on the nature and content of strings used in eval expressions, as well as their provenance and data obtained by observing their dynamic behavior.


Eval Function Call Site Global Scope Document Object Model Local Scope 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, C., Drossopoulou, S.: BabyJ: From Object Based to Class Based Programming via Types. Electr. Notes in Theor. Comput. Sci. 82(7), 53–81 (2003)CrossRefGoogle Scholar
  2. 2.
    Anderson, C., Giannini, P.: Type Checking for JavaScript. Electr. Notes Theor. Comput. Sci. 138(2), 37–58 (2005)CrossRefzbMATHGoogle Scholar
  3. 3.
    Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise Analysis of String Expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged Information Flow for JavaScript. In: Conference on Programming Language Design and Implementation (PLDI), pp. 50–62 (2009)Google Scholar
  5. 5.
    Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 88–106. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    European Association for Standardizing Information and Communication Systems (ECMA): ECMA-262: ECMAScript Language Specification. 5th edn. (December 2009)Google Scholar
  7. 7.
    Feinstein, B., Peck, D.: Caffeine Monkey: Automated Collection, Detection and Analysis of Malicious JavaScript. In: Black Hat USA 2007 (2007)Google Scholar
  8. 8.
    Guarnieri, S., Livshits, B.: Gatekeeper: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In: USENIX Security Symposium, pp. 151–197 (2009)Google Scholar
  9. 9.
    Guha, A., Krishnamurthi, S., Jim, T.: Using Static Analysis for Ajax Intrusion Detection. In: Conference on World Wide Web (WWW), pp. 561–570 (2009)Google Scholar
  10. 10.
    Holkner, A., Harland, J.: Evaluating the Dynamic Behaviour of Python Applications. In: Proceedings of the Thirty-Second Australasian Conference on Computer Science, ACSC 2009, vol. 91, pp. 19–28. Australian Computer Society, Inc., Darlinghurst (2009)Google Scholar
  11. 11.
    Jang, D., Choe, K.M.: Points-to Analysis for JavaScript. In: Proceedings of the 2009 ACM Symposium on Applied Computing, SAC 2009, pp. 1930–1937. ACM, New York (2009)CrossRefGoogle Scholar
  12. 12.
    Jang, D., Jhala, R., Lerner, S., Shacham, H.: An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications. In: CCS 2010: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 270–283. ACM, New York (2010)CrossRefGoogle Scholar
  13. 13.
    Jensen, S.H., Møller, A., Thiemann, P.: Type Analysis for JavaScript. In: Palsberg, J., Su, Z. (eds.) SAS 2009. LNCS, vol. 5673, pp. 238–255. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Livshits, B., Whaley, J., Lam, M.S.: Reflection Analysis for Java. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 139–160. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Maffeis, S., Mitchell, J.C., Taly, A.: Isolating JavaScript with Filters, Rewriting, and Wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505–522. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    McCarthy, J.: History of LISP. In: History of programming languages (HOPL) (1978)Google Scholar
  17. 17.
    Ratanaworabhan, P., Livshits, B., Zorn, B.: JSMeter: Comparing the Behavior of JavaScript Benchmarks with Real Web Applications. In: USENIX Conference on Web Application Development (WebApps) (June 2010)Google Scholar
  18. 18.
    Richards, G., Lebresne, S., Burg, B., Vitek, J.: An Analysis of the Dynamic Behavior of JavaScript Programs. In: Programming Language Design and Implementation Conference, PLDI (2010)Google Scholar
  19. 19.
    Rieck, K., Krueger, T., Dewald, A.: Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks. In: Annual Computer Security Applications Conference, ACSAC (2010)Google Scholar
  20. 20.
    Thiemann, P.: Towards a Type System for Analyzing JavaScript Programs. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 408–422. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Yue, C., Wang, H.: Characterizing Insecure JavaScript Practices on the Web. In: World Wide Web Conference, WWW (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Gregor Richards
    • 1
  • Christian Hammer
    • 1
  • Brian Burg
    • 2
  • Jan Vitek
    • 1
  1. 1.Purdue UniversityUnited States
  2. 2.University of WashingtonUnited States

Personalised recommendations