The second type of attack is stored XSS. Exploiting this one will be accomplished by saving the script (JavaScript) into a stored location through a page (for example, Blogs, CMS, Forums) into some sort of a storage file (for example, database, file, and logs). This flaw is dangerous because it is persisted and will execute when anyone visits the infected page later. Imagine that on Facebook (or any social media platform), you can submit a post that contains a JavaScript code that will execute by anyone who sees that post; amazing, right?
Please don't try it on Facebook - I'm just giving an example here, you don't want to get yourself in trouble! (By the way, Facebook and other big companies offers bug bounty programs and they will pay you money if you find any bugs).
That's why we have Mutillidae; to test our concept and check how things work:
- Go to the homepage of Mutillidae, then on the left menu, choose OWASP 2017 | Cross Site Scripting | Persistent | Add to your blog:
- Same as before, we will try to insert the same JavaScript alert that we did before and try to execute it by clicking on the Save Blog Entry button (but this time, it will be stored as a blog):
Now, every time a user visits this blog, he or she will be prompted when the page loads with the JavaScript alert because it's stored in the database.