Stored XSS - Comment Injection

Easy A03:2021 - XSS 150 points

Challenge Description

This comment section is vulnerable to Stored Cross-Site Scripting (XSS). Comments are saved to the database and displayed to all users without sanitization.

Your goal is to:

Post a comment containing a malicious script
The script will execute every time any user views the page
Use your payload to "steal" the admin's session when they view comments

Learning Objective: Understand the persistence and impact of stored XSS, and why it's considered more dangerous than reflected XSS.

Simulation: The admin reviews comments every few minutes. When your XSS payload executes in the admin's browser, you'll capture their session.

Admin Session Token: FLAG{ST0R3D_XSS_P3RS1ST3NT}

Post a Comment (Vulnerable)

Your Name

Comment

Comments 3

AdminAdmin - 01/28/2026 20:59

Thanks for the feedback everyone!

Bob - 01/28/2026 18:59

Fast shipping, would recommend.

Alice - 01/28/2026 16:59

Great product! I love it.

Submit Flag

Hints -10% per hint

Debug Options

Render HTML (enable XSS)

Toggle this to see how the comments render with/without XSS protection.

Payload Examples

Common stored XSS payloads:

<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
<marquee onstart=alert(1)>
<details open ontoggle=alert(1)>