Level 2: Stored XSS into HTML context with nothing encoded

Objective

This lab contains a stored cross-site scripting vulnerability in the comment functionality.

To solve this lab, submit a comment that calls the alert function when the blog post is viewed.

Explanation

Unlike reflected XSS, which is immediately executed based on user input in the URL or form fields, stored XSS involves injecting a malicious script that gets saved in the backend (typically in a database). In this case, the vulnerability exists in the comment section of a blog post. When a user submits a comment containing a malicious script, it is stored in the system and later displayed as part of the blog post. Any user who views the post will trigger the script when they load the page.

By injecting a simple JavaScript payload, we can make the alert() function execute whenever someone views the post that contains our comment, demonstrating a stored XSS vulnerability.

Resolution

1. Navigate to any blog post on the application.

2. In the comment section, enter the following payload:

   <script>alert('XSS test')</script>

3. Fill out the other fields (name, email, etc.) with any value.

4. Submit the comment.

1. Once the comment is submitted, navigate to the same blog post.

2. Upon page load, an alert box will appear, confirming the execution of the malicious script.

3. You will then see the lab completion notification.

Mitigation

• Sanitize user inputs before storing them in the database to prevent the storage of malicious scripts.

• Encode outputs when displaying user-generated content, ensuring special characters like < and > are treated as text rather than executable code.

• Implement a Content Security Policy (CSP) to restrict the types of content that can be executed in the browser.

• Use a web application firewall (WAF) to help identify and block common XSS attack patterns.