ELI5: What is Stored (Persistent) XSS?
The attacker plants bad code on a website that stays there forever — like graffiti on a wall. Every single person who visits that page gets hit by the trick, not just one person who clicks a link.
Definition
Stored (Persistent) Cross-Site Scripting is the most dangerous form of XSS, where malicious script code is permanently saved on the target server—typically in a database, comment field, forum post, or user profile—and then served to all users who view that content. Unlike reflected XSS (which requires the victim to click a link), stored XSS automatically executes in every visitor’s browser without any additional attacker action.
Key Details
- Persistence: The payload is stored on the server and served to all subsequent users automatically—maximum blast radius.
- Common injection points: comment fields, user profiles, forum posts, product reviews, chat messages, form fields stored in databases.
- Attacker injects once; the stored script executes for every visitor to the affected page—potentially thousands of victims.
- Impact: Session cookie theft, account hijacking at scale, browser-based malware distribution, defacement, phishing via injected forms.
- Mitigation: Output encoding before rendering stored user content in HTML; Content Security Policy (CSP) to restrict script execution; input validation and sanitization on storage.
Connections
- Parent: xss-and-csrf — the most severe XSS variant
- See also: reflected-xss, dom-based-xss