Here’s OWASP’s lesson principle:
Lesson Plan Title: How to Perform Stored Cross Site Scripting (XSS)
Concept / Topic To Teach:
It is always a good practice to scrub all inputs, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere. Users should not be able to create message content that could cause another user to load an undesirable page or undesirable content when the user’s message is retrieved.
General Goal(s):
The user should be able to add message content that cause another user to load an undesirable page or content.
Quite straight forward lesson. Input anything you like in the “Title” box and then <script language=”javascript” type=”text/javascript”>alert(“Ha Ha Ha”);</script> in the message section and submit.
Check underneath the “Message List” for your Title, click and a popup box appears with “Ha Ha Ha”
Again input anything in the ”Title” box and then <script language=”javascript” type=”text/javascript”>alert(document.cookie);</script> and your popup SessionId will appear.
Here’s a video showing you the process: