You might already know that
evaltakes a JavaScript expression in the form of a string, evaluates it and returns the value. So,eval('2 + 2')will return4. Similarly,setTimeoutandsetIntervalcan also accept JavaScript expression strings as arguments.
If you have any part of the code on server side which evaluates unvalidated user inputs, using either of: eval, setTimeout, setInterval; your app can be vulnerable to Server Side JavaScrip Injection attacks.
Imagine a situation where you have some code like the following, being evaluated on the server-side:
...
eval(unvalidatedUserInput);
...
In such a situation, the app is vulnerable to various forms of SSJSi attacks. Via the unvalidatedUserInput, the attacker might:
'while(1)', 'process.exit()'. While the first one will cause an infinite loop and disable the server to respond any further incoming requests, the latter would just kill the running process 'res.end(require('fs').readdirSync('.').toString())'
The above input would send the attacker the contents of the current working directory
'res.end(require('fs').readFileSync(filename))'
The above input would send the attacker the contents of a particular file
A couple of pointers, to avoid SSJSi attacks:
eval, and vulnerable forms of setTimeout, and setInterval when you can.