Stored XSS
| CWE | CWE-79 |
| Tools | dalfox |
| Difficulty | 🟡 intermediate |
Exploit Stored XSS​
Stored XSS occurs when malicious input is permanently saved in the application's storage (database, filesystem, cache) and later displayed to other users. This is significantly more dangerous because it does not require social engineering -- every user who views the content is affected.
Technical flow:
- You submit a malicious payload through any input channel
- Application stores the payload in persistent storage
- Other users request pages that include the stored data
- Server retrieves and includes the payload in responses
- Victims' browsers execute the payload automatically
High-Value Storage Locations​
Test all fields that are displayed to other users:
Profile-Based Injection:
- Display name / Username
- Bio / About section
- Location
- Website URL
- Avatar filename
- Custom status
- Job title
- Company name
Comment/Message Injection:
- Plain text comments
- Markdown-enabled fields
- Rich text editors
- File attachment names
- Link previews
Second-Order Injection (payload stored in one location, triggered in another):
- Email address displayed in admin user management or logs
- User-Agent header displayed in analytics dashboards
- Filename displayed in file manager
- API key names displayed in settings
- Error messages that display user input
- Log entries rendered in admin panels