Prerequisites

To understand this whole article, you will need:

  • Knowing how to code in HTML
  • Know the basics of PHP and Javascript
  • Know what an XSS is (see my article on XSS if needed)
  • Definition

    A stored XSS is possible when user input is stored in database and displayed on the page. We can take as an example a forum page.

    Explanation of the vulnerability

    Take as an example a forum page that displays posted messages.
    Here is the part of the PHP code that displays the messages:

    // Connection to the database
    $request = $database->query('SELECT user, message FROM messages ORDER BY id DESC LIMIT 0, 5');
    
    while ($data = $request-> fetch ()) {
    echo "<p>". $data ['user']. ":". $data['message'] . "</p>";
    }
    

    The interesting part in this code is the echo function, which displays messages and nicknames without filters. This therefore allows us to enter tags which will subsequently be interpreted.

    For example if we try to inject <u>hello</u>, the rendering on the page will be:
    hello
    The echo function interpreted the <u> tags. You are probably wondering how dangerous it is for a user to send an underlined message, well that’s because if echo interprets the <u> tags, it will also interpret the <script> tags.

    Exploit

    Now that we have the ability to interpret our beacons, we can move on to exploit. By entering <script>alert()</script>, when the page loads the script will be executed, and the alert will be displayed. From the moment you can execute JavaScript you can for example retrieve cookies from other users.
    I’ll let you see my XSS Cheat Sheet to see how to get these famous cookies. :)

    XSS Cheat Sheet