Skip to Content

CompTIA Security+ (Plus): What Vulnerability Allows a Script to Run Every Time Someone Views Web App’s Comments?

By: Author Alex Lim

Posted on

Categories Exam

What is stored XSS and how does it differ from reflected XSS? Learn how stored cross-site scripting allows persistent malicious scripts in web applications, a critical topic for CompTIA Security+ (Plus) SY0-701 exam success.

Table of Contents

Question

An attacker injects the following payload into a web app’s comment section:

<script>alert('Hacked!');</script>

The script runs every time someone views the comments. What vulnerability is this?

A. Reflected XSS
B. Stored XSS
C. SQL injection
D. CSRF
E. XML injection

Answer

B. Stored XSS

Explanation

Unlike reflected XSS, which requires user interaction (e.g., clicking a link), stored XSS saves the malicious script in the database and runs whenever the page loads.

The vulnerability exploited when an attacker injects <script>alert(‘Hacked!’);</script> into a web app’s comment section—causing the script to run every time someone views the comments—is stored cross-site scripting (stored XSS).

Stored XSS (also known as persistent XSS) occurs when user-supplied data is stored by the application (commonly in a database) and later included in web pages sent to other users, without proper sanitization or encoding.

In this scenario, the attacker submits a comment containing a malicious script. The application saves this comment and displays it to all users who visit the page. Each time the page loads, the browser executes the embedded script, enabling the attacker to steal session cookies, hijack accounts, or perform other malicious actions.

Unlike reflected XSS, which requires the victim to interact with a specially crafted link or request, stored XSS is triggered automatically for every user who views the affected page, making it more dangerous and far-reaching.

Stored XSS is particularly severe in applications where user-generated content is widely displayed, such as forums, blogs, or social media platforms.

Stored XSS allows attackers to inject malicious scripts into content that is stored by the application and executed in users’ browsers every time the affected page is viewed, making it a highly dangerous web vulnerability.

CompTIA Security+ (Plus) SY0-701 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the CompTIA Security+ (Plus) SY0-701 exam and earn CompTIA Security+ (Plus) SY0-701 certification.