You might already know that eval takes a JavaScript expression in the form of a string, evaluates it and returns the value. So, eval('2 + 2') will return 4. Similarly, setTimeout and setInterval can also accept JavaScript expression strings as arguments.

---

If you have any part of the code on server side which evaluates unvalidated user inputs, using either of: eval, setTimeout, setInterval; your app can be vulnerable to Server Side JavaScrip Injection attacks.

Imagine a situation where you have some code like the following, being evaluated on the server-side:

...
eval(unvalidatedUserInput);
...

In such a situation, the app is vulnerable to various forms of SSJSi attacks. Via the unvalidatedUserInput, the attacker might:

1. try to cause a DoS attack; any of these inputs will do: 'while(1)', 'process.exit()'. While the first one will cause an infinite loop and disable the server to respond any further incoming requests, the latter would just kill the running process
2. try to access the filesystem:

 'res.end(require('fs').readdirSync('.').toString())'

The above input would send the attacker the contents of the current working directory

'res.end(require('fs').readFileSync(filename))'

The above input would send the attacker the contents of a particular file

---

A couple of pointers, to avoid SSJSi attacks:

• Always validate user inputs, never assume that your APIs would always be hit with same form of data
• Avoid the usage of eval, and vulnerable forms of setTimeout, and setInterval when you can.

This is not related to specific language and is called Code Injection.

I would recommend this website (Open Web Application Security Project) which contains a lot of vulnerabilities and details on how to prevent them.