Persistent Cross-Site Scripting (XSS), also known as Stored XSS, is one of the most dangerous forms of web application vulnerabilities. It occurs when a web application receives data from a user and stores it permanently in its backend database or filesystem without proper sanitization or encoding. Common vectors for persistent XSS include comment sections, user profiles, message boards, and "Contact Us" forms. Unlike Reflected XSS, where the payload is included in a specific URL and only affects the user who clicks that link, a persistent XSS payload is served automatically to every user who visits the affected page.

When an attacker successfully injects a malicious script (typically JavaScript), the server "remembers" this script. Every time a legitimate user requests the page where the data is displayed, the server includes the malicious code in the HTML response. The user’s browser, trusting the source, executes the script. This can lead to devastating consequences, such as session hijacking through the theft of session cookies, account takeover, or the redirection of users to malicious websites. From an ethical hacking perspective, identifying persistent XSS involves testing all input fields that result in data being displayed later. Mitigation strategies focus on the principle of "filter input, escape output." Input should be validated against a strict whitelist of allowed characters, and any data rendered in the browser must be context-aware encoded (e.g., converting < to <) to prevent the browser from interpreting the data as executable code. Because the payload is stored on the server, this vulnerability represents a significant risk to the entire user base of an organization, making it a high-priority finding in any security assessment.