Stored XSS into HTML context with nothing encoded

Marduk I Am
3 min readDec 14, 2023

--

This is the second lab from the PortSwigger Web Security Academy dealing with cross-site scripting (XSS). This time we are talking about stored XSS. As the name implies, a stored XSS attack is stored on a web server and only executed when the victim visits that specific page or URL.

In this lab we are brought to another blog page with several posts. There is no search bar to test this time. Users can, however, leave comments on each of the blogs. In order to solve this lab we need to inject our JavaScript code into one of these comments. Our code will be stored on the web server until a user visits the blog page, then the victims browser will execute our code.

Navigate to one of the posts. At the bottom, fill out the required fields: Name, email, and website. Nothing personal. You can just make them up.

Screenshot of a comment form with a box for your comment, name, email, and website.

In the comment box is where we are going to leave our payload. PortSwigger wants us to use the alert method to solve this lab. So we will use the same payload as last time.

<script>alert(document.cookie)</script>
  • <script></script> — HTML script tags that define a block of JavaScript code to be executed by the browser.
  • alert — JavaScript method that opens a pop-up window.
  • (document.cookie) — JavaScript expression that displays the cookies associated with the current document.

Enter your payload into the comment box and post your comment.

Screenshot showing comment was posted.

At this point PortSwigger will tell you that the lab is solved, and in fact it’s true. However, if you would like to see your payload in action, click on the “Back to blog” button and the pop-up alert window will show up.

Screenshot of pop-up window we created.

Congratulations! We’re on a roll. Lets keep it up!

Previous Lab — Reflected XSS into HTML context with nothing encoded can be found here: https://medium.com/@marduk.i.am/reflected-xss-into-html-context-with-nothing-encoded-8d3fb3a9eaf5

For more information please visit the following sites:

--

--

Marduk I Am

Cybersecurity enthusiast. Currently focusing on write-ups and bug bounties. Twitter: @marduk_I_am | Mastodon: @Marduk_James@infosec.exchange