1. Home
  2. Training Library
  3. Introduction to Cross-Site Scripting Attacks

Stored XSS


Cross-Site Scripting Attacks
XSS Intro
Reflected XSS
PREVIEW12m 54s

The course is part of this learning path

Start course

This course covers cross-site scripting (XSS) attacks, which are important to know about for anyone interested in ethical testing or bug bounty hunting. We'll cover reflected XSS, reflected AJAX XSS, and stored XSS.


Hi, within this lecture, we're going to cover XSS attacks but this time we're going to focus on the stored one. So, we have covered the reflected, now I'm going to go into the stored and just say hack and here we go. We have been presented with the same form actually that we have seen in the HTML injection, right? So, I'm going to delete this and submit this so that we can start fresh. So, I'm going to start fresh over here. So, this is a storage XSS vulnerability and as we have seen in the HTML injection, it stores the code that we have injected in the server so everyone will be presented here even though it is not going to be run, executed in the server, even though it's going to be executed on the client, on the browser over here, the code itself will be stored in the server or in the database. So, whenever someone visits there, they will be executing that code with knowing or without knowing it, okay? So, this is basically the same thing like HTML Stored Injection but this time we're focusing on not the HTML side of the things, but the JavaScript side of the thing so that we can get malicious. Even if they can actually inject an XSS like a JavaScript code in your browser, they can even try to mine Blockchain or Bitcoin or something like that, okay? So, let me try to run the script and say alert hacked and try to edit this and see if it works. As you can see I didn't use any semicolons right now and it works actually. Now, it starts over here. If I refresh this page, I can see the whole thing one more time. Even though we cannot see anything on this entry side, we can still see the alert dialog popping up, so it means that JavaScript can be run or can be executed on a victim machine like this, so anyone will be visiting this will be presented with a hacked dialog box. This is even itself as malicious as it can get because no one will ever want to visit that website one more time if they see something like this, okay? And remember  XSS vulnerabilities are pretty common as well, so we are seeing the fundamentals of these vulnerabilities, but they will actually work in the same way in the real bug bounty and you can find a lot of bug bounties. You can regain a lot of reverse like this. So, I'm going to delete this and try one more thing, okay? And this is the same thing that we have tried in the medium and as you can see it works as well, okay? So, it may work or it may not work depending on the configuration, security configuration, so maybe we can try medium as well. Let me go to medium and try this one more time. So, let me run the script like this, okay? In a most basic way. If I submit this. Yeah, here we go. It still works for some reason. So, I believe the security configuration is not doing a very good job in the medium as well, but it might not have worked, maybe we might have to try the other stuff in the variations of these  XSS payloads, but this time it worked. So, try this, the other ones, try the iframe and the image source on your own time to see which ones are working and which ones are not. So, as you can see onerror is here as well, right? The image source onerror is here as well. Let's try this actually. Let me delete this. Now, let me try to inject this, okay? And if I say submit, here we go, it still works. So, this is a legit one so make sure you have it on your notes and as you can see it works in the medium as well. So, this is all for XSS for right now, we're going to cover the dome based  XSS later on in other sections. Right now, we want to move forward and we're going to start working on different vulnerabilities within the next section.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.