Stored XSS [Payload Execution]

Hello Friends,

This is my 29th blog on web application security penetration testing. In this blog I will explain Stored XSS payload execution when malicious payload is coming from DB to front end which we have saved earlier in blog 28th.

In my last Blog, I have explained about Stored XSS [Front-end To Back-end] Step by Step process with debugging enabled So that you people will understand how malicious payload pass to backend from the front end when validation and sanitization is not in the place.

What is Stored Cross Site Scripting?

Stored based Cross Site Scripting: [Stored in Database] : When a user supplied input is not validated or sanitized properly and stored into database and later on access in some other part of application from database then we called it as stored cross site scripting attack.

How to Test for Stored XSS?

1] Find pages which collect user information or some other info and saved to DB. Like signup page, comment box, contact us page, etc.

2] Enter some simple text and click on submit. If it is stored in DB and displaying on page then here is good to test stored XSS.

3] Enter payload and submit to server. Re-visit the same page or different page where payload is getting called from DB and if payload is executing successfully then there is stored XSS.

Lab Setup:

To demonstrate Stored Cross Scripting, I have created one sign-up/Register Page in previous blog and in this blog we will see how execution takes place when malicious data is coming from DB.

I have used below technologies:

Microsoft Visual Studio 2015

Microsoft SQL Server 2008

Firefox Web Browser

Note: Disable the XSS prevention in asp.net web page by setting up below property to false. ValidateRequest=”False”.

Below is the Step-by-step POC:

  1. I have created a new webpage called “ViewRegisterDetails.apsx” this page basically will take data which we have stored earlier in DB through our Registration process and bind it to Front end web page i.e. our HTML web form.

Note: Payload Stored in DB for id=5 is “><script>alert(1)</script>

2. Below is the code written to access data from DB and display it on front end web form i.e. ViewRegisterDetails.aspx

3. I have written below designer code which takes backend data and bind it to the label controls text property.

4. Notice, our payload is executed successfully as soon as it’s loaded on web form.

This is the best way to understand the complete execution of Stored XSS.

Please do like and comment and also follow me on medium and LinkedIn for more reads!

Thank!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store