Normal stored XSS gives you immediate feedback — inject a payload, visit the page, your alert fires. Simple.

Blind XSS is different. You inject a payload into a form — a feedback submission, a support ticket, a contact form, a shipping address — and it gets stored. But you never see the page where it renders. That page is an admin panel, an internal CRM, a customer support dashboard. Somewhere only staff can access.

You are firing in the dark. The payload needs to report back to you when it fires.

A real example

In 2019, a researcher submitted a bug report to a major e-commerce company's internal support ticketing system with a payload in the issue description field. The ticket was displayed to a support agent on an internal tool. The agent's browser fired the payload, which exfiltrated their session token — giving the researcher full access to the internal support dashboard with visibility into customer data for millions of users. The researcher never had access to the internal tool. They just had access to the form that feeds it.

Where blind XSS surfaces live

• Contact and feedback forms
• Support ticket descriptions and notes
• User registration fields rendered in admin user lists
• Order notes and shipping addresses rendered in merchant dashboards
• Log viewers that display user input verbatim
• Error messages that appear in staff error tracking tools