CodeQL for JavaScript: Unsafe jQuery Plugin

In this course, we will use CodeQL to analyze the source code of Bootstrap, and find unsafe calls to JQuery that could lead to cross-site scripting (XSS) attacks.

Start free course Join 809 others!

Quickly learn CodeQL, an expressive language for code analysis, which helps you explore source code to find bugs and vulnerabilities. During this beginner-accessible course, you will learn to write queries in CodeQL and find critical security vulnerabilities that were identified in Bootstrap, a popular open-source project.

What you'll learn

Upon completion of the course, you'll be able to:

  • Understand the basic syntax of CodeQL queries
  • Use the standard CodeQL libraries to write queries and explore code written in JavaScript
  • Use predicates and classes, the building blocks of CodeQL queries, to make your queries more expressive and reusable
  • Use the CodeQL data flow and taint tracking libraries to write queries that find real security vulnerabilities

What you'll build

You will walk in the steps of our security researchers, and create:

  • Several CodeQL queries that look for interesting patterns in JavaScript code.
  • A CodeQL security query that finds 5 critical security vulnerabilities in the Bootstrap codebase (before it was patched!) and can be reused to audit other open-source projects of your choice.


  • Some knowledge of the JavaScript language and the JQuery library.
  • A basic knowledge of secure coding practices is useful to understand the context of this course, and all the consequences of the bugs we'll find, but is not mandatory to learn CodeQL.
  • This is a beginner-accessible course. No prior knowledge of CodeQL is required.


  • Security researchers
  • Developers
Steps to complete this course 9
  1. Welcome to the course

    Know where to find documentation and help, install CodeQL, setup your IDE.

  2. Your first query

    Finding all calls to the jQuery $ function

  3. Understanding the query, binding objects

    Finding the first argument of all calls to the $ function

  4. Using the jquery predicate

    The CodeQL JavaScript library provides a jquery predicate

  5. Finding jQuery plugin options: property reads

    Finding jQuery property reads

  6. Finding jQuery plugin options: plugins

    Using local data flow analysis to find jQuery plugins

  7. Finding jQuery plugin options: final step

    Using local data flow analysis to find jQuery plugins options

  8. Detecting untrusted data flow sources

    Detecting untrusted data flow sources

  9. Putting it all together: the taint tracking query

    Using global data flow analysis: finalizing the taint tracking query

Share this course
Average time to complete

1545 minutes


All public courses on Learning Lab are free.

Latest release

What is GitHub Learning Lab?

Learn new skills by completing fun, realistic projects in your very own GitHub repository.