Stored XSS occurs when malicious input is saved on the server and executed every time a user loads the affected page.
Write-Up by Aditya Bhatt | Stored XSS | HTML Injection | BurpSuite
This PortSwigger lab contains a stored XSS vulnerability inside the blog’s comment functionality. Since nothing is encoded or sanitized, any JavaScript inside the comment body gets stored on the server and executed whenever any user views the blog post.
We’ll craft a payload, store it via the comment form, return to the main blog page, and watch the JavaScript execute.
Free Article Link
My GitHub Repo
Lab Link
Press enter or click to view image in full size
🧪 TL;DR
- Comment fields reflect input directly in HTML context
- No filtering / sanitization / encoding
- Payload gets stored + executed on page load
- Final payload:
<script>alert(1)</script>- Submit comment → Go back to blog → Alert fires → Lab Solved 🎉