How does it work?

Stored XSS attacks are those where the injected script is stored on the target server, such as in a comment, forum post, or any other user input field that is stored on the server and displayed back to the user. The script is then executed by the victim's browser, which does not know that the script shouldn't be trusted [6].

An example forum is available to demonstrate this concept here:

Forum

How can it be spotted?

Stored XSS attacks can be spotted by looking for user input that is stored on the server and displayed back to the user without being sanitized. This can be in the form of a comment, forum post, or any other user input field that is stored on the server and displayed back to the user.

How can it be prevented?

Stored XSS attacks can be prevented by sanitizing user input before storing it on the server and displaying it back to the user. This can be done by encoding the input or by validating the input against a whitelist of allowed characters, this must be done on the server side to prevent the user bypassing the client side validation [7].