Post cover image

June 14, 2026

Stored XSS โ€” The Dangerous Cousin

Hey friends! Nitin here ๐Ÿ‘‹

Nitin yadav

2 min read

Last post was reflected XSS โ€” where your code runs once, just for you. Now meet its scarier cousin: stored XSS. This one hits OTHER people. And that makes it way more dangerous (and way more rewarding).

What Makes It "Stored"?

With stored XSS, your malicious code gets SAVED on the website. In their database. And then it runs for everyone who views that page โ€” not just you.

Think about it like this: reflected XSS is writing a nasty note and reading it yourself. Stored XSS is writing that note and pinning it on the company notice board where EVERYONE who walks by reads it. ๐Ÿ˜ฌ

A Real Example

Say a website has a comments section. You post a comment:

Nice article! <script>alert(document.cookie)</script>

The site saves your comment. Now every single person who opens that page loads your comment โ€” and their browser runs your script. You could be stealing the session cookie of every visitor. That's the power (and danger) of stored XSS.

Where To Hunt For It

Anywhere your input gets SAVED and shown to others:

  • Comment sections
  • Profile fields (name, bio, "about me")
  • Support tickets (the support agent views YOUR text! ๐Ÿ‘€)
  • Chat messages
  • Product reviews
  • Anything where you submit text that someone else will later see
None

Hunting through a web application

The Pro Move: Target The Admin

Here's where it gets juicy. The HIGHEST impact stored XSS is the kind that fires in an ADMIN's browser.

Example: you submit a support ticket with your payload. A support agent or admin opens it to help you. Boom โ€” your code runs in THEIR session, which has way more power than yours. That's how stored XSS turns into full account takeover or worse. Programs pay big for this.

How To Test It

  1. Find an input that gets saved and displayed later
  2. Drop in a test payload like <b>nitintest</b> first โ€” does it render as bold? Then HTML isn't escaped ๐Ÿ‘€
  3. Escalate to a JS payload like <script>alert(1)</script> or <img src=x onerror=alert(1)>
  4. Reload the page (or view it from another account) โ€” does it fire?
  5. If it runs for a DIFFERENT user โ†’ stored XSS confirmed โœ…

My Honest Tip

Always check WHERE your saved input shows up. Sometimes you type something in your profile and it shows up in five different places โ€” the dashboard, the public profile, an admin panel. One of those five spots might not be filtering. Follow your input everywhere it travels. That trail is where the bug hides.

Next post: DOM XSS โ€” the sneaky one that scanners almost always miss.

Keep hunting! ๐Ÿ”ฅ