Root-Me BlogDocumentation - Stored XSS
Prerequisites
To understand the whole article, you will need:
- Know HTML
- Know the basics of PHP and Javascript
- Know what an XSS is
Définition
A stored XSS is possible when the user input is stored in a database and displayed on the page. An example is a forum page.
Explanation of the vulnerability
Let’s take as an example a forum page that displays the posted messages.
Here is the part of the PHP code that displays the messages:
// Connection to the database
// Retrieving information through an SQL query
$request = $database->query('SELECT user, message FROM messages ORDER BY id DESC LIMIT 0, 5');
// Display of messages
while($data = $request->fetch()){
echo "<p>" . $data['user'] . ": " . $data['message'] . "</p>";
}
The interesting part of this code is the echo function, which displays messages and nicknames without a filter. So this allows us to enter tags that will later be interpreted.
For example if we try to inject <b>hello</b> the rendering on the page will be: hello
The echo function interprets tags.
You might ask why it’s dangerous for a user to send an underlined message, well it’s because if echo interprets b tags, it will also interpret script tags.
Exploitation
Now that we have the ability to interpret our tags, we can move on to exploitation. By entering <script>alert()</script> when the page is loaded the script will be executed, and the alert will be displayed. From the moment we can execute JavaScript we can, for example, retrieve the cookies of other users.