Home > CAPEC List > CAPEC-592: Stored XSS (Version 2.11)  

CAPEC-592: Stored XSS

Stored XSS
Definition in a New Window Definition in a New Window
Attack Pattern ID: 592
Abstraction: Detailed
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

This type of attack is a form of Cross-site Scripting (XSS) where a malicious script is persistenly “stored” within the data storage of a vulnerable web application. Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attibutes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.

+ Attack Prerequisites
  • An application that leverages a client-side web browser with scripting enabled.

  • An application that fails to adequately sanitize or encode untrusted input.

  • An application that stores information provided by the user in data storage of some kind.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: High

If this weakness is present in an application, then there is a high likelihood that it will be found and exploited. The prevelance of automated dynamic analysis tools (e.g., fuzzers) have made identifying weaknesses like these achievable by even the most basic adversary. Once identified, this type of weakness can often be exploited with minimal trial and error.

+ Examples-Instances


An adversary determines that a system uses a web based interface for administration. The adversary creates a new user record and supplies a malicious script in the user name field. The user name field is not validated by the system and a new log entry is created detailing the creation of the new user. Later, an administrator reviews the log in the administrative console. When the administrator comes across the new user entry, the browser sees a script and executes it, stealing the administrator's authentication cookie and forwarding it to the adversary. An adversary then uses the received authentication cookie to log in to the system as an administrator, provided that the administrator console can be accessed remotely.


An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags. An adversary embeds JavaScript in the image tags of his message. The adversary then sends the victim an email advertising free goods and provides a link to the form for how to collect. When the victim visits the forum and reads the message, the malicious script is executed within the victim's browser.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application.

+ Resources Required

None: No specialized resources are required to execute this type of attack.

+ Probing Techniques

Locate system capabilities within a web application that store user-supplied information without proper encoding or sanitization

+ Solutions and Mitigations

Use browser technologies that do not allow client-side scripting.

Utilize strict type, character, and encoding enforcement.

Ensure that all user-supplied input is validated before being stored.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Read application data
Read files or directories
A successful Stored XSS attack can enable an adversary to exfiltrate sensitive information from the application.
Gain privileges / assume identity
A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.
Execute unauthorized code or commands
A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.
Modify memory
Modify files or directories
Modify application data
A successful Stored XSS attack can allow an adversary to tamper with application data.
+ Technical Context
Architectural Paradigms
+ Content History
CAPEC Content TeamThe MITRE Corporation2017-04-15Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017