One of the most sought-after attacks by malicious users is a so-called persistent XSS attack. This means that the attacker not only manages to inject code into your web app but this injected code also remains for an extended period of time. Most often, this is achieved by tricking the app into storing the malicious, injected code in a database and then running the code on a page on subsequent visits.
Note
In the following examples, we will break our application, specific inputs to our form. You will need to log in to the database on VPS afterwards to manually clear these inputs that leave our app in a broken state.
As our app currently stands, an attacker could carry out a persistent XSS attack by filing out the Category, Date, Latitude, and Longitude fields as usual, and using the following for the Description field:
</script><script>alert(1);</script>
This might look a bit strange, but give it a go. You should see the following:
And after you click...