CAPEC-592
Description
An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently "stored" within the data storage of a vulnerable web application as valid input.
Prerequisites
An application that leverages a client-side web browser with scripting enabled.
An application that fails to adequately sanitize or encode untrusted input.
An application that stores information provided by the user in data storage of some kind.
Mitigations
Use browser technologies that do not allow client-side scripting.
Utilize strict type, character, and encoding enforcement.
Ensure that all user-supplied input is validated before being stored.
Skills Required
[Medium] Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application.