July 10, 2026
Stored DOM XSS — PortSwingger
Stored DOM XSS — PortSwingger
By CyberForge
2 min read
This lab demonstrates a stored DOM vulnerability in the blog comment functionality. To solve this lab, exploit this vulnerability to call the alert() function.
Lab Solution:
Before we solve any DOM XSS Lab the first thing we have to do is understand how our input is moving From the Source to Sink.
In this lab we can notice that our source is responseText the comments are stored on the database and returned as a json response via an XHR request, then this response gets passed into innerHTML whcih is our Sink.
From the source code we could also see that the lab uses a escapeHTML function, it replaces <> to < > but here is a big flaw with the javascript replace method it only replaces the first occurance so if we have two tags <> the replace only replace the first one leaving the second one.
Still Inspecting the source code, we can see our injection point is the comment.author which on the blog comment section is the name filed, input from the comment.author is passed escape.html() directly into innerHTML. This looks protected but the filter only replaces the first occurrence of making it bypassable.
Since our input get into innerHTML, innerHTML renders HTML at the same time block script tag automatically so we can't craft a payload with script, we have to make use of the if we pass this direclty in the name filed, escape.html will replace the tags which will render our payload useless, now we will exploit the weakness in .replace we will add a set of <> to our payload <>
now when this payload get to the filter it replaces the first set of <> leaving our payload executable.
Sending this payload in the name field stores it in the database and the browser will execute it automatically whever any user visit the blog post……