Mastering Web Security: Exploiting Stored XSS into HTML Context

Stored Cross-Site Scripting (XSS) is a high-impact vulnerability that occurs when an application saves untrusted user input and later reflects it to other users without proper validation or encoding. In this write-up, I will demonstrate how to exploit a Stored XSS vulnerability in a blog's comment section, highlighting the persistent nature of this attack and how it can be used to execute arbitrary JavaScript in the browsers of unsuspecting visitors.

Vulnerability Analysis

The target application contains a Stored Cross-Site Scripting (XSS) vulnerability within its comment functionality. Unlike Reflected XSS, the malicious payload is permanently stored by the application on the server (e.g., in a database).

The vulnerability exists because the application reflects user-supplied comments directly into the blog post page without any sanitization or output encoding. Consequently, any user who views the blog post will have the injected script executed by their browser automatically.

Exploitation Steps

To solve this lab, I performed the following steps to inject and store the payload:

1. Access the Comment Section: I navigated to one of the blog posts and located the comment input form at the bottom of the page.

2. Inject the Payload: I entered the following standard proof-of-concept JavaScript into the "Comment" field: .

3. Submit the Comment: I filled in the remaining required fields (Name, Email, and Website) with arbitrary test data and clicked the "Post comment" button.

4. Trigger the Execution: I clicked "Back to blog" to view the updated post. Upon loading the page, the server rendered the stored comment, and the browser executed the raw

<picture> <source media="(max-width: 768px)" srcset="/img/medium/700/1*EqGp6CjHMVqQbWuSK7oSaQ.png 1x"> <source media="(min-width: 769px)" srcset="/img/medium/2000/1*EqGp6CjHMVqQbWuSK7oSaQ.png 1x"> <img src="/img/medium/700/1*EqGp6CjHMVqQbWuSK7oSaQ.png" alt="None" width="426" height="155" loading="lazy" data-zoom-src="/img/medium/4000/1*EqGp6CjHMVqQbWuSK7oSaQ.png" class="prose-image"/> </picture>

Conclusion

This lab illustrates the critical impact of Stored XSS. Because the attack vector resides permanently on the server, a single successful injection can compromise the session of every single visitor who accesses that specific page.

• Key Lesson: The primary defense against Stored XSS is context-aware output encoding. When the application renders user-stored content back to the browser, characters like < and > must be converted into their safe HTML entities (< and >). This forces the browser to display the payload as harmless text rather than executable code.
• Final Thoughts: Never trust user input, even after it has been safely stored in your database. Security controls must be applied both at the point of input validation and at the point of output rendering.