TMCnet Feature
August 18, 2022

Preventing Stored XSS in Web and Mobile Applications

Hackers have made web and mobile applications a major target for attacks because of their huge user base and points of vulnerability. As more cybersecurity measures are implemented over time to address these attacks, the more the hackers develop new ways to inflict harm. One of their most effective cyberattack tools is called cross-site scripting, also known as XSS.

Cross-site scripting is the act of placing malign executable scripts in the code of a trustworthy website or application. XSS attacks are usually initiated by sending a suspicious link to an unsuspecting user and tricking the user into clicking on it. When clicked, the link will execute the code as the hacker intended and steal the user's active session cookie, personal data, or other valuable information. There is a more advanced form of cross-site scripting called stored XSS, which is popular among hackers.

What Is Stored XSS?

You may be wondering, “what is stored XSS?” This has the same underlying principle as cross-site scripting in general. However, it only works on applications built to store user input. Hackers inject their malicious codes through requests that they make to the application. When the application receives this "request, " it stays on its database or server. The fact that the malicious code remains stored in the server is why it is called stored XSS.

How Does Stored XSS Work?

Apps like Quora, Reddit or other online forums allow users to post content and comments that many internet users would view. Hackers can target them and find out if they have no protection against stored XSS. If they do not, they can plug their malicious javascript code into the application just by writing it as a comment. That code would then be embedded into the webpage. Whenever anyone visits that particular page, their phone will interpret the malicious comment as a javascript code instead of normal text.

Once a user's phone detects the code, it will execute a command as instructed by the hacker. Unfortunately, this will happen to everyone that visits that webpage until the app developer notices and takes mitigation measures. Organizations should aggressively prevent this and secure their user's data while using their app.

Can Stored XSS Be Prevented?

There are many steps developers can take to ensure mobile app security. In this case, they should develop their applications in ways that allow them to scan and detect malicious code in user input in real-time. XSS mostly comes in the same format, usually containing the <script> string. Developers should make app algorithms reject user inputs that include that string.

They should also restrict the type of characters users can input into the app to alphanumerics and characters that do not have special meanings in code. They can also encode potentially malicious characters to be interpreted as plain text by the algorithm instead of code. Some developers also use web application firewalls to bolster their app security and block XSS attacks as soon as they occur.


Stored XSS can be problematic and dangerous on a large scale, especially if the application they are injected into experiences high traffic. App developers should do all they can to prevent it from occurring in the first place. Fortunately, there are viable steps for doing so, which include blocking the attacks in real-time and removing already stored XSS.

» More TMCnet Feature Articles


» More TMCnet Feature Articles