Delayed Cross Site scripting Overview

Delayed XSS vulnerabilities are a variant on stored cross-site scripting vulnerabilities. They occur when the attacker input is saved by the server and displayed in another application with a different origin.

Often when testing for client side injections (HTML/JS/etc.) security engineers are looking for where the injection occurs within the application they are testing only. While this provides ample coverage for the application in scope, there is a possibility that the code engineers are injecting may be reflected back in a completely separate application. Have a look at the following diagram:

We can see the security tester has injected an XSS Payload into App #1 Server however the payload actually rendered in a completely separate application, which is not accessible due to network restrictions for the tester. Without having a way to have the Payload callback to the security tester, they may never know the payload executed.

A more concrete example would be a signup for an eCommerce website. One can imagine a field such as "First Name" which gets reflected back throughout the eCommerce website. But what about the helpdesk application when a user has a question? We can imagine that first name field may get reflected back out in the helpdesk application, and that this could be done in an unsafe way that is vulnerable to cross-site scripting.

By leveraging Sleepy Puppy, we can establish a mechanism for collecting useful metadata when a Payload executes regardless or origin or access restrictions.

Delayed cross-site scripting allows you to test a deeper scope and breadth of the 'data' flow within an endpoint.