Web Application Security

Stored XSS in Admin Dashboard

A stored cross-site scripting vulnerability in an administrative messaging component allowed attacker-supplied payloads to persist in storage and execute in the browser of any reviewing administrator. This writeup documents discovery, a non-destructive proof of concept, business impact, and the remediation pattern recommended to the affected team.

XSS Burp Suite OWASP A03 CVSS 7.5 — High Published 12 Sep 2025

Executive Summary

A stored XSS condition allowed unauthenticated user input to be saved and rendered in an administrative context. When an administrator opened the affected view, attacker-controlled JavaScript executed in the admin's session, enabling potential session-token theft, account takeover, and pivot into privileged functionality.

Severity was rated High based on privileged execution context, no required user interaction beyond opening the inbox, and the absence of a mitigating Content Security Policy.

Methodology

Testing combined manual input-validation checks with proxy-based inspection (Burp Suite Pro) and targeted automated scanning. The vulnerable parameter surfaced when reviewing inconsistent output encoding between the user-facing rendering path and the admin review path.

  1. Mapped all input vectors that flow into administrative views.
  2. Submitted benign canary strings to identify reflective vs. persistent rendering.
  3. Used Burp Repeater to refine encoding-bypass payloads against the admin renderer.
  4. Validated execution via a non-destructive payload reporting only its origin and DOM context.

Proof of Concept (Non-Destructive)

A safe proof-of-concept payload was used to confirm persistence and execution in the admin view. The payload only triggered an in-page beacon — no data was exfiltrated and no destructive actions were performed. A representative shape of the test payload: 

<img src=x onerror="fetch('/lab/beacon?ctx='+document.domain)">

The beacon confirmed execution under the admin origin, with full access to the administrator's session cookie (HttpOnly was not set on the affected cookie, compounding the issue).

Impact

  • Administrator session theft and full account takeover.
  • Privileged action execution in the admin context (user enumeration, privilege grants, data export).
  • Phishing pivots from a trusted administrative origin.
  • Long-lived persistence — payloads remained active until manual purge.

Remediation

  1. Apply context-appropriate output encoding (HTML-encode content rendered in HTML context; JS-encode content rendered into JavaScript).
  2. Centralize rendering through a single, audited template helper to prevent future inconsistency.
  3. Harden cookies: HttpOnly, Secure, and SameSite=Lax at minimum.
  4. Deploy a strict Content Security Policy to constrain script execution and disable inline event handlers.
  5. Sweep stored content for prior payloads and purge before redeploy.
Defensive note: CSP alone is not a fix for stored XSS — it is a useful blast-radius control layered on top of correct output encoding.

Responsible Disclosure

If this matches an active issue in your environment, contact me directly to coordinate responsible disclosure. Full technical artifacts (refined payload chain, CSP test matrix, post-fix verification plan) are shared under NDA.

← Back to Writeups Coordinate Disclosure