Lab 2: Stored XSS into HTML context with nothing encoded

Summary of the Lab (Conceptual, Safe)

The referenced PortSwigger lab demonstrates a stored (persistent) Cross-Site Scripting (XSS) vulnerability in an HTML context where no characters are encoded, meaning user input is placed directly into the page.

What the lab tries to teach

  • Stored XSS occurs when malicious input is saved by the application (e.g., in a comment, profile, or post).

  • When other users view that page, the malicious JavaScript runs in their browser.

  • Lack of HTML encoding/escaping makes this possible.

  • Proper output encoding and input handling prevent it.

Analogy (Simple Example)

Imagine a guestbook in a hotel lobby.
Anyone can write a message. The hotel displays messages exactly as written.

If a guest writes:

“Hello World!”

…it shows normally.

But if someone writes:

“Whenever someone reads this, switch off the lobby lights.”

…and the hotel staff blindly obeys whatever the message says, the entire lobby would react.

That’s similar to stored XSS—the system treats user input as commands, not text, and those commands activate for every viewer.

🔍 Conceptual Steps of the Exploitation (No technical how-to)

  1. The attacker submits a comment/message/profile field containing script-like content.

  2. The application stores this content without sanitizing or encoding it.

  3. When another user opens the page, the browser receives the stored content as part of HTML.

  4. The browser interprets it as active code, not text.

  5. The attacker’s code executes using the victim’s session context.

Again: The process above is high-level and avoids any actionable exploitation details.

⚠️ Sample Vulnerable Code (Safe, Illustrative Only)

Below is a simplified conceptual example showing why the vulnerability occurs.

❌ Vulnerable (no HTML escaping)

// Imagine this is rendering a stored comment directly into HTML
const comment = database.getComment();  // untrusted
document.getElementById("comments").innerHTML += "<p>" + comment + "</p>";

Problem:

  • The untrusted content is injected into HTML as-is.

  • Browsers treat it as active HTML/JavaScript, not plain text.

🛡️ How to Fix the Issue (Safe, Defensive)

✔️ 1. Output Encode (Escape) User Input

Output it as text, not HTML:

const comment = database.getComment(); // untrusted
const p = document.createElement("p");
p.textContent = comment;  // safely escapes everything
document.getElementById("comments").appendChild(p);

This ensures:

  • <script> becomes harmless text like &lt;script&gt;

  • No browser interpretation as code

✔️ 2. Use Server-Side Escaping (Example: Node.js/Express + Template Engine)

Using EJS/Handlebars/Pug (auto-escaping)

<p>{{comment}}</p>

If manual encoding is required

function escapeHTML(str) {
  return str
    .replace(/&/g, "&amp;")
    .replace(/</g, "&lt;")
    .replace(/>/g, "&gt;")
    .replace(/"/g, "&quot;")
    .replace(/'/g, "&#039;");
}

res.send(`<p>${escapeHTML(comment)}</p>`);

✔️ 3. Implement Content Security Policy (Defense-in-Depth)

Limit execution of inline scripts:

Content-Security-Policy: default-src 'self'; script-src 'self';

CSP does not replace encoding but greatly reduces impact if encoding fails.

🟢 Final Takeaway

Stored XSS happens when a website stores untrusted input and later renders it directly into HTML without encoding.
Fixes rely on ensuring user data is always treated as text, not code.


References:

https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encoded


Comments

Post a Comment

Popular posts from this blog

SQL Injection Attacks | Shahul Hameed

Image
Lab 1:   SQL injection UNION attack, determining the number of columns returned by the query Introduction      This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.      To solve the lab, determine the number of columns returned by the query by performing an  SQL injection UNION  attack that returns an additional row containing null values. Solutions: Use Burp Suite to intercept and modify the request that sets the product category filter. Modify the  category  parameter, giving it the value  '+UNION+SELECT+NULL-- . Observe that an error occurs. Modify the  ...
Read more

To use emulator(Using NOX emulator): Open Appie Application | Shahul Hameed

Image
To use emulator(Using NOX emulator): Open Appie Application Tools Requirements 1. Appie tool 2. Burp certificate 3. Frida Server Step 1: $ cd C:\Appie\bin\adt\sdk\platform-tools Step 4 – 6 One time steps we have to do for new devices or emulator. Step 2: $ .\adb.exe connect 127.0.0.1:62001 Step 3: $ adb devices Step 4: $ adb push fridasslandroot.js / data/local/tmp Step 5: $ adb shell chmod 777 / data /local/tmp/frida-server Step 6: $ adb push cacert.der /data/local/tmp/cert-der.crt Step 7: Run frida server $ adb shell /data/local/tmp/frida-server & Step 8: Open new tab in APPIE and execute below command: Finally you are unpinned and execute application in rooted mobile. $ frida -U -f <Your-Package-Name> -l C:\Appie\bin\adt\sdk\platform-tools\fridasslandroot.js --no-paus $ frida -U -f com.test.demo -l C:\Appie\bin\adt\sdk\platform-tools\fridasslandroot.js --no-paus
Read more

Pentest - Web Application Vulnerability Scanner | Shahul Hameed

Image
 W eb Application Vulnerability Scanner  Tool Name:  NUCLEI   Description      Nuclei are used to send requests across targets based on a template, leading to zero false positives and providing fast scanning on a large number of hosts. Nuclei offer to scan for a variety of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, Headless, etc. With powerful and flexible templating, Nuclei can be used to model all kinds of security checks.           Nuclei are a fast, template-based vulnerability scanner focusing on extensive configurability , massive extensibility, and ease of use. Installation & Demonstration Usage:      CMD : nuclei -h Step 1:      Download and install before use nuclei Go lang in kali linux      CMD : sudo apt-get update & sudo apt-get upgrade      CMD: sudo apt-get install -y golang Step 2:      Download and in...
Read more