W-XSS-STOREDImpact

Stored XSS

Payload persisted server-side and rendered for other users — passive collection of victims, often admin sessions.

§ Where this technique fits

W-XSS-STORED is catalogued under the Impact tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3.5 on average.

§ Dossiers chaining this technique

Cloudflare account compromise → Worker rewrite → mass cred theft
Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice.
step 3 / 6
Output injection → admin XSS in support panel
Customer chats with support LLM. Prompt injection makes the model emit a malicious markdown link / image; when an admin views the conversation in the support panel, JS / pixel-tracker fires.
step 4 / 5

§ What commonly comes next

01
Input Capture
T1056 · Collection
seen 1×
02
Steal Web Session Cookie
T1539 · Credential Access
seen 1×

W-XSS-STORED — Stored XSS | Attack Paths

§ Where this technique fits

§ Dossiers chaining this technique

Cloudflare account compromise → Worker rewrite → mass cred theft

Output injection → admin XSS in support panel

§ What commonly comes next