Stored XSS

I navigated this website: https://www.edilportale.com, an Italian web portal on construction. I found out that it was vulnerable to reflected XSS, as seen in the image.

Reflected XSS

I also noticed the forum section: here too vulnerability of reflected XSS, as seen in the image, so I tried a stored XSS.

Reflected XSS (forum)

I have created a temporary email for registering on the website, then I completed the registration phase.

Registration

After this, I created a topic in the forum following the necessary steps, inserting the attack vector both in the topic title and in the message body.

Creation of the topic

After flagging the subject of the discussion and confirming the publication, by clicking on a link sent to my temporary email, I finally managed to inject my XSS attack vector into the forum.

Subject flag

Here my topic.

XSS topic

Now, by refreshing the forum page, the effect of the XSS is publicly visible and all users are affected.

Stored XSS

Of course the “danger” of a vulnerability {reflected, stored} XSS is the same: what changes is the scope of the attack. The link of a reflected XSS attack must be sent manually, hoping that the victim will click it to suffer the attack; in a stored XSS, on the other hand, it is sufficient for the victim to browse the infected webpage to suffer the attack. Potentially, many more victims can be attacked and it is certainly much cooler.

Now the owners of the website have patched the vulnerability, thanks to my report.

3 Replies to “Stored XSS”

Leave a Reply