Presentation Material
Presentation
Video
AI Generated Summary
The talk addresses stored cross-site scripting (XSS), identified as one of the most dangerous and widespread application-layer attacks. The core mechanism involves an attacker injecting a malicious script into a web application’s input fields, such as a message posting form. This script is then permanently stored on the server’s database.
When a legitimate user subsequently visits the compromised page, the server delivers the stored malicious script along with the legitimate content. The user’s browser executes this script within the trusted context of the vulnerable website. The presentation demonstrated this flow: an attacker successfully posts a message containing a script tag, which is then rendered and executed for all subsequent viewers of that page, potentially stealing session cookies, redirecting users, or performing actions on their behalf.
The key technical distinction highlighted is between stored XSS and other variants like reflected XSS, emphasizing that stored attacks persist on the server and affect every user who accesses the contaminated resource until the data is removed or the vulnerability is patched.
Practical implications stress the critical need for robust input validation and, more importantly, context-aware output encoding on the server side before any user-supplied data is rendered in a browser. Developers must treat all stored data as untrusted and apply appropriate encoding based on the output context (e.g., HTML, JavaScript, URL). Failure to implement these defenses allows an attacker to weaponize a single submission to compromise multiple users over time.