Stored XSS Lab - localStorage Based

📚 What is Stored XSS?

Stored Cross-Site Scripting (Persistent XSS) occurs when malicious input is stored (in a database, localStorage, file, etc.) and later displayed to users without proper sanitization. This is considered the most dangerous type of XSS because:

The attack is persistent - it affects all users who view the stored content
No user interaction needed beyond viewing the page
Can affect many users over an extended period

🧪 Comment System (Vulnerable)

💡 Try These Payloads

Post these as comments to see the vulnerability in action:

<img src=x onerror=alert('Stored XSS')>

<script>alert('This XSS persists!')</script>

<img src=x onerror="alert('Executed on every page load!')">

<h1 style="color: red;">DEFACED!</h1>

Notice: These payloads will be stored in localStorage and execute every time the page loads, demonstrating persistence!

🔍 Understanding the Vulnerability

Vulnerable Code:

                
// ❌ VULNERABLE: Storing and displaying user input with innerHTML

function postComment() {

  const comment = document.getElementById('input').value;

  // Store in localStorage (or database in real app)

  let comments = JSON.parse(localStorage.getItem('comments') || '[]');

  comments.push({text: comment, date: new Date()});

  localStorage.setItem('comments', JSON.stringify(comments));

  // Display using innerHTML - DANGEROUS!

  displayElement.innerHTML = comment;

}

The problem: User input is stored without sanitization and displayed using innerHTML, allowing malicious scripts to persist and execute for all users.

Secure Code:

                
// ✅ SECURE: Sanitize before storing and use textContent

function postComment() {

  const comment = document.getElementById('input').value;

  // Sanitize input before storing

  const sanitized = DOMPurify.sanitize(comment);

  // Or escape HTML

  const escaped = escapeHtml(comment);

  // Store sanitized version

  localStorage.setItem('comments', JSON.stringify([escaped]));

  // Display using textContent

  displayElement.textContent = escaped;

}

⚠️ Real-World Impact

Mass Account Compromise: Steal cookies/tokens from all users who view the content
Worm Propagation: Create self-propagating XSS attacks
Persistent Backdoors: Maintain long-term access to user accounts
Data Harvesting: Collect sensitive information from multiple users
Social Engineering: Display fake security warnings or login prompts
Reputation Damage: Deface pages viewed by all users

🎯 Common Attack Vectors

Comment Systems: Blog comments, forum posts, reviews
User Profiles: Bio, username, profile fields
File Uploads: Filenames, metadata, SVG files
Search Functionality: Stored search queries
Messaging Systems: Private messages, chat applications
Form Data: Any persistent form submissions

🔒 Prevention Techniques

Input Validation: Validate all user input on both client and server
Output Encoding: Encode data before displaying (HTML entity encoding)
Use textContent: Never use innerHTML for user-generated content
Sanitization Libraries: Use DOMPurify or similar tools
Content Security Policy: Implement strict CSP headers
HttpOnly Cookies: Prevent JavaScript access to sensitive cookies
Regular Audits: Scan stored data for malicious content
Context-Aware Encoding: Encode based on where data is displayed (HTML, JS, CSS, URL)

🧪 Lab Details

This lab uses localStorage to simulate a database. In a real application, comments would be stored in a backend database. The vulnerability and prevention techniques are the same - never trust stored data and always sanitize/encode when displaying.

Try this: Post a malicious comment, then reload the page. Notice how the XSS payload executes again! This demonstrates the persistent nature of Stored XSS.

🔵 Stored XSS Lab

localStorage-Based Persistent Vulnerability