Stored Cross Site Scripting



Stored Cross-Site Scripting (also known as second-order or persistent XSS) arises when the vulnerable web application receives user-supplied input from untrusted sources and stores it in places such as database, message forum, visitor log, comment field. The malicious content also gets included in later HTTP responses sent by the server. It’s the most damaging type of XSS , If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user browser for the same origin that is vulnerable to XSS .

Attack Scenario

An attacker can inject JavaScript, HTML, CSS code into victims' responses to take control of their browsers, execute malicious code to steal session cookies, or even redirect them to other pages.


Never put untrusted data into your HTML input, unless you follow the rest of the steps below. Untrusted data is any data that may be controlled by an attacker, HTML form inputs, query strings, HTTP headers, even data sourced from a database as an attacker may be able to breach your database even if they cannot breach your application.

Before putting untrusted data inside an HTML element ensure it's HTML encoded. HTML encoding takes characters such as < and changes them into a safe form like <

Before putting untrusted data into an HTML attribute ensure it's HTML encoded. HTML attribute encoding is a superset of HTML encoding and encodes additional characters such as " and '.

Before putting untrusted data into JavaScript place the data in an HTML element whose contents you retrieve at runtime. If this isn't possible, then ensure the data is JavaScript encoded. JavaScript encoding takes dangerous characters for JavaScript and replaces them with their hex, for example, < would be encoded as \u003C.

Before putting untrusted data into a URL query string ensure its URL is encoded.

ID: 30003