Stored XSS, sitting on the home page
The client came to us two months after finishing a full penetration testing programme with their existing vendor — white box and black box, internal and external, run against OWASP. The whole menu, done properly.
We identified a stored XSS on the home page through manual testing. The alert in the screenshot is ours — a harmless string, put there to show it fires.
Stored XSS lives on the server and runs in the browser of every person who loads the page. Nobody has to click anything. On a pension and finance platform, that means session hijacking, credentials lifted, or a quiet redirect to a page that looks exactly like theirs.
It was on the home page. The first thing every visitor loads. A complete OWASP programme had gone over it two months earlier and not seen it.
