Once, Malicious code is injected, even if victim access that website from different devices, at different time, Still, Server will again send Malicious Code, as it is stored in Database.
Let's see the example.
site.com has registration form, which takes Name, email , password as input. On
submit button click, the browser will send a request, as shown below.
POST /register.php HTTP/1.1 Host: site.com firstname.lastname@example.org&password=mySecret
And after successful registration, the website is showing,
welcome msg as,
Welcome, Rahul !
Som here, all details name, email, password are stored in Database, and the website is fetched those details and shows on a webpage.
Attacker may enter name as
rahul<script>alert('This is Stoted XSS')</script>
This malicious code will steal cookes from vitim.
This is a simple example of Stored XSS. Generally, websites will have XSS Protections, and the attacker has to bypass those restrictions. WAF(Web Application Firewall) provides XSS Protection, but the attacker can bypass WAF by analyzing the working of the application and constructing complicated payload.
- As malicious code is stored, It has more impact than Reflected XSS.
- Single XSS Attack can affect the number of users(which is generally not possible with reflected XSS)
- If the victim is a highly privileged user (Like admin), it may cause full website compromise.
- An attacker might send cookies to the attacker's Server and hijack the session.
- XSS can be used to bypass CSRT-Token.
- Never Trust user, Validate user input strictly as per expected input.
- Use HTML Entity Encoding
- Output generated based on user input should be encoded before putting into html webpage, so that it will not cosidered as active content by web broweser.
- HTML encoding will convert
&, <, >, ", 'into
&, <, >, ", ' /,
- Use HTTP response header
- XSStrike : Most advanced XSS scanner.