Stored XSS happens when user input is saved on the target server, such as in a database, a message board, a visitor log, a comment box, and so on. The victim can then obtain the saved data from the web application without that data being rendered safe in the browser. With the development of HTML5, and other browser technologies, we might see the attack payload is kept permanently in the victim’s browser, such as an HTML5 database, and never be communicated to the server at all.
The term “self” refers to the notion that the user is assaulting themself. Because both assaults end in malicious code executing on a legal site, the “XSS” component of the term derives from the acronym for cross-site scripting. However, the attacks have little in common other than the fact that XSS is an attack against the website itself (which users cannot protect themselves against but which can be fixed by the site operator to make their site more secure), whereas Self-XSS is a social engineering attack against the user (which savvy users can protect themselves against but the site operator cannot do anything about it)
Example of a Stored XSS Attack
The graphic below assumes that the attacker has previously found a stored cross-site scripting vulnerability in the target web application and has a method of fooling or assuring the victim visits the page with the stored payload.
Typical Entry Points for Stored XSS
Stored XSS necessitates the application to store user-supplied input (making it persistent) and render it within the page. The following is a list of common sites where Stored XSS vulnerabilities can be found:
- Message Forums
- Blog Comments
- Profile page information
- Admin portals
Typical Attack Vectors for Stored XSS
Because an attacker may run JavaScript on the victim’s workstation, XSS can be used to execute a variety of security risks and/or be used in conjunction with other web vulnerabilities to exploit a higher severity security issue.
- redirecting the browser
- Link placement
- Hooking browsers – beef (redirecting vulnerable browsers to exploits)
- Cookie Theft / Session Hijacking
- Keylogging
- Using XSS to steal CSRF tokens
- Fake login forms
- Abusing HTML 5
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.