Cross-Site Scripting - Persistent
General Persistent XSS Report Requirements
Payloads should show access to the DOM when possible using document.domain or similar.
Screenshots should include successful XSS execution.
HTTP requests where payloads are sent are required.
Multiple user impact should be demonstrated or it can not be accepted.
If authentication is required, please include credentials in your first step.
Template Contents
Title
Persistent XSS on [SITE]
Description
Cross-Site Scripting (XSS) attacks involve the execution of untrusted user input in the context of an application. In this case, the malicious input in most instances is saved by the application and later injected into the response of a request for the resource. The payload usually persists after being saved by the application's database. This can thus contribute to watering hole attacks, or attacks whereby otherwise safe sites can be used to compromise multiple users at a time visiting the same malicious payload or resource. The following report will describe the Persistent-XSS findings.
Impact
XSS results in unauthorized code being executed/rendered by a user's browser. As a result, the following may occur:
Cookies may be stolen, potentially leading to account takeover
Untrusted code may modify the DOM environment and retrieve/modify various values
Malicious execution of input can lead to a variety of other impacts
Recommended Fix
Tips from OWASP:
Never insert untrusted data except in allowed locations
HTML encode before inserting untrusted data into HTML element content
Attribute encode before inserting untrusted data into HTML common attributes
JavaScript encode before inserting untrusted data into JavaScript data values
URL encode before inserting untrusted data into HTML URL parameter values
For more detailed information on these tips, visit the OWASP XSS Prevention cheat sheet HERE.
Last updated