Cross-Site Scripting (XSS) badge Cross-Site Scripting (XSS)

Description

Cross-site scripting, or XSS, is one of the most common vulnerabilities within web applications. When an application reflects unsanitized user input from data stores, external systems, or HTTP requests into HTML responses, an attacker can trick the application into executing malicious JavaScript in a victim’s browser. The use of user-controlled elements within insecure JavaScript functions can lead to the same effect.

Our usage of Rails and markup rendering pipelines allows us to escape untrusted data by default during HTML rendering. However, there are always edge cases that could pop up. Read Rails’ security guide about XSS for more specific examples.

We employ various browser features to help mitigate the risk of XSS for our users. For GitHub.com we set Content-Security Policy (CSP) HTTP headers to prevent the execution of arbitrary JavaScript within the github.com domain. Additionally, we set the X-XSS-Protection header to instruct the browsers to activate proactive XSS mitigation. To prevent an XSS exploit from compromising user sessions, access to sensitive cookies is disallowed by settings the HTTPOnly flag.

More about cross-site scripting vulnerabilities from OWASP’s Top 10:

XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. There are three known types of XSS flaws: 1) Stored, 2) Reflected, and 3) DOM based XSS.

Recently collected Cross-Site Scripting (XSS) bounties:

1 zlamma 2500 pts Slawomir Brzezinski XSS in commit messages
2 ChALkeR 2500 pts Сковорода Никита Андреевич User-controlled `class` attribute on some Markdown tags
3 kieran 200 pts Kieran Huggins XSS in flight-manual.atom.io
4 arjunv 1000 pts Arjun V Organization creation self-XSS
5 xpn 2500 pts xpn XSS in GitHub Desktop