CAPEC-592

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Stable MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: High Severity: Very High
Stored XSS

Description

An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently "stored" within the data storage of a vulnerable web application as valid input.

Prerequisites

An application that leverages a client-side web browser with scripting enabled.

An application that fails to adequately sanitize or encode untrusted input.

An application that stores information provided by the user in data storage of some kind.

Mitigations

Use browser technologies that do not allow client-side scripting.

Utilize strict type, character, and encoding enforcement.

Ensure that all user-supplied input is validated before being stored.

Skills Required

[Medium] Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application.