Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform both a Stored XSS and an HTML injection.
Thanks to this attack it is possible to disable the history page making it unusable (for example I created a transparent page above with an infinite redirect), or it is possible to create a stored XSS.
The problem is that the markdown input is sanitized in the TestPlan, but it is not sanitized by the history page. On the history page it will run.
1 - Insert one of the following payloads into a Test Plan.
2 - Go to the history
Stored XSS:
<a href="https://evil.com/users/signin">foo</a>
Stored HTML Injection - Disable the history page:
<a href="https://evil.com/users/signin">foo</a>
https://drive.google.com/file/d/1n7ZSrOOIb47vZro4ck2-hPRkzbSiX8CF/view?usp=sharing
I made a video where a basic user (not an admin) creates a testplan.
When Admin goes into the history of the testplan created by the basic user, the XSS will appear (stored blind XSS)
https://drive.google.com/file/d/1FlGvATGWKWXXoMB6h2Z-JOX1gVhkssx5/view?usp=share_link