What Is Persistent XSS?

Persistent XSS, also known as persistent cross site scripting is a way to inject code into a sites database. The way this occurs is due to areas in the code, called parameters that don’t do proper security checks that communicate with the database.

You might be thinking that this sounds a lot like sql injection, and while there are similarites, there are also differences. We have one awesome example of persistent XSS art by a grey hat hacker we interviewed. He demonstrated how he put pages onto a site allowing file uploads among other things, that wasn’t his. XSS can be a method to deliver malicious code into a site, or for non-malicious purposes creating harmless pop ups.

What is the difference between sql injection and Persistent XSS?

Sql injections use the SQL language and XSS generally uses javascript. That’s one main difference. Persistent XSS can get saved to a database or stored in a file, the effects of these two differ slightly. SQL injections target the data stored in the database, usually in an attempt to steal, alter or modify that data.

Persistent XSS can end up stored in a database adding code, but the use cases are different. XSS can add malware onto your device or trick you into submitting data through a form, among other things. SQL injections as detailed above are more focused on stealing straight from the database.