Web Applications Attacks: Stored XSS

  • 570
  •  
  •  
  •  
  •  
  •  
  •  
    570
    Shares

persistent or Stored  XSS is a type of XSS vulnerability and differs from reflected XSS by the fact that it is stored in nature. It means that the payload (the injected code), once inserted into a page, will remain and execute forever on the page. This is sneakier than its reflected counterpart as most of the time the victim is simply unaware of the fact that a malicious code is running on the affected website, making it an excellent option for XSS worms.

I think that some of you may be aware of the Samy worm which exploited XSS filter vulnerability in MySpace to create a persistent XSS scenario in which thousands of victims unknowingly executed the wormable JavaScript code, which further spread the code.

Stored XSS vulnerability is much common in places where data is saved for a longer time, for example, in places such as comment sections, messaging, and similar places. They are a welcoming location to check for stored XSS issues.

Simply you can say that Stored XSS attacks are those where the injected code (JavaScript) is permanently stored on the target websites, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored data. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!