/vulndb/Persistent Cross-site Scripting

XSS is a type of web application security vulnerability, which allows code injection by malicious web users into the web pages viewed by other users. Stored Cross-site Scripting is a type of XSS where the injected content is permanently stored on to the web server/application. Whenever a user requests an infected page from the server the payload is directly delivered embedded in the response so it will be executed without the need of user intervention.

An attacker can use stored XSS to deliver the malicious payload just once and have it executed whenever the infected page is loaded. This is used as a building block of web worms, which use social networks mechanics to spread a malicious payload to many victims in the shortest time possible.

Solution

As with every other code injection attack you should sanitize user inputs from special chars like <, > and single and double quotes.

Caveats

A reflected XSS payload may not work in every browser due to various XSS protection mechanisms. However a stored XSS is easier to escape browser XSS protection enhancements since they are usually designed to detect suspicious payloads in the URL parameters.

References

http://en.wikipedia.org/wiki/Cross-site_scripting