Quiz Entry - updated: 2026.06.20
How does stored server-side XSS work?
The app saves attacker input (e.g. a username) into the database, then later renders it into a page unescaped, so the stored script runs in every visitor's browser.
Example scenario:
-
Attacker registers with username:
<script>alert(1)</script> -
Server stores this in database
-
Server code renders the page:
<p>Hello ${username}!</p>
- When any user views the page, their browser receives:
<p>Hello <script>alert(1)</script>!</p>
- The script executes in every visitor's browser
Impact: Can steal cookies, redirect users, deface pages for ALL users who view the affected page.