Stored cross-site scripting (XSS), also called persistent XSS, occurs when an application stores user-supplied input containing malicious script and later serves it to other users without proper encoding. Unlike reflected XSS, which requires a victim to click a crafted link, stored XSS payloads execute automatically for every user who views the affected page, making it significantly more dangerous and scalable.
How It Works
The attack begins when an attacker submits malicious JavaScript through any input that gets stored and displayed to other users. Common injection points include comments, forum posts, user profiles, product reviews, support tickets, and any user-generated content feature. If the application stores the input without sanitization and renders it without output encoding, the script is embedded in the HTML served to every subsequent visitor.
When a victim's browser loads the page containing the stored payload, it executes the JavaScript in the context of the application's origin. The script has access to the victim's session cookies (unless HttpOnly is set), can read and modify page content, redirect the user, capture keystrokes, and make authenticated API requests on the victim's behalf. A stored XSS payload in a high-traffic area of an application can compromise hundreds or thousands of user accounts within hours.
The impact can extend beyond individual account takeover. A stored XSS payload targeting an administrator panel can compromise every admin who views it, potentially granting the attacker full control over the application. Self-propagating XSS worms use stored XSS to automatically post the payload from each compromised user's account, creating an exponential spread across the platform. Some of the most notable web security incidents have involved stored XSS worms.
Why It Matters
Stored XSS is considered one of the most severe web vulnerabilities because it requires no victim interaction beyond normal application usage, persists until explicitly removed, and can affect every user who encounters the infected content. Security assessments test all stored input fields for XSS because the combination of persistence, automated execution, and access to the trusted origin creates consistently critical impact.
Need your application tested? Get in touch.