Skip to main content

Stored XSS


Stored code injections are attacks where malicious code (such as JavaScript) is injected into the application and stored in the database to be later executed. Stored XSS is one of those attacks. Stored XSS is when an XSS vulnerability originates from the database because of malicious code previously inserted in it.


Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

To effectively prevent XSS vulnerabilities, use a combination of the following measures:

  • Filter user input on arrival as strictly as possible, based on what you expect as legitimate input.
  • Encode user-controllable data as soons as it is outputted in HTTP reponses to prevent it from being interpreted as active content (ie. code). Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
  • Use the right headers to ensure that browsers interpret the responses the way you intended. For example, to prevent XSS in HTTP responses that are not supposed to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers.
  • Use Content Security Policy (CSP) to reduce the severity of any XSS vulnerability that still occurs.


CheckId: injection/stored_xss


  • skip_objects : List of object that are to be skipped by the security test.


Ignoring this check

"checks": {
"injection/stored_xss": {
"skip": true

Check with all default options

"checks": {
"injection/stored_xss": {
"options": {
"skip_objects": []


  • Escape Severity: HIGH
  • OWASP: A08:2019
  • PCI DSS: 6.5.7
  • CWE
    • 74
    • 79
  • WASC: 8


  • CVSS_SCORE: 7.2