So Far we look at Reflected XSS Attack, how XSS payload is created, basic Html etc, Let’s look and understand what is Stored XSS Attack is and some example. once you know what is Reflected XSS and stored XSS I will show the difference between both the XSS attack and more advanced way to find XSS like Http header XSS and other input parameters where you can try to inject your payload.
What is Stored XSS Attack
Stored XSS also know as persistence XSS is a type of XSS when attacker script or malicious code is executed and stored on the server-side instead of client-side. when an attacker submits the malicious code and server save it as user input and execute it to the client system every time the vulnerable data is asked.
Let’s take a look at a basic example.
You are creating a new account on Facebook, Facebook will ask you for your first name last name email etc. when you enter your all the details and click on submit or signup your name and all the details will be saved on the facebook server and when you try to log in your Facebook account and go to your profile facebook will show you your user name which is stored in the server and you gave.
Suppose while creating the facebook account you get to know that first name input is vulnerable for XSS attack and instead of your first name you entered an XSS payload and other details as normal and click submit now facebook will save your first name as an XSS payload and every time you log in to your Facebook account Facebook will show you your name and as your name is a script it will get execute to your browser.
To execute your XSS attack as a stored xss you will need to find a parameter or input which is stored in the server-side like your username, last name, email id, mobile number and comment option in the website or any other part which let you type and stored it inside the server and come back.
Let’s take an example to execute our script as stored XSS DVWA Stored XSS (low security)
Let’s open the dvwa vulnerable site and click on the stored XSS with low security now you can see that it’s a comment section which asks for your name and your message, Now you can imagine or can confirm that our name and message will be stored in the server to confirm it enter any name and message and click sign guestbook and click refresh.
you can see that our name and the message is stored inside the server because every time we refresh our message and name display to this page (in real life website comment page if your comment is displayed every time you refresh or visit) now every time anyone visits this specific page he will see our comment, now right-click and see the page source and search our comment hello or hacker.
now we don’t know which input field is vulnerable for XSS attack weather it’s message or name but based on the source code we will create a payload like we did in part 3, if you have no idea about it please check it out. now first try to execute a basic and simple payload without trying to do anything.
now go back from source code to our main page and try to enter XSS payload one by one.
Click on name option and enter <script>alert(1)</script>
you will notice that you are not allowed to enter after 4 5 character that means it’s a protection for some attacks.there are ways to bypass it. but for now, in name field enter any name and in message field enter our script <script>alert(1)</script> and click sign guestbook.
Now you can see that our code is executed now click on any other page like dom XSS and again click on stored XSS and you will see our code again get executed because our comment is stored in server and every time we visit this page server give us all the content for this page with our comment which is a script, anyone who visits there will see this popup.