In October 2005, a 19-year-old named Samy Kamkar found a stored XSS vulnerability in MySpace. He injected a small piece of JavaScript into his own profile page.

The payload did three things automatically when anyone visited his profile:

• Added Samy as a friend
• Copied itself into the visitor's profile
• Added the message "but most of all, samy is my hero" to their page

The result: over 1 million MySpace accounts infected within 20 hours. MySpace had to shut down their entire platform to contain it. Samy was arrested, sentenced to community service, banned from computers for three years, and fined.

The attack worked because MySpace stored profile HTML in a database and served it back to every visitor without filtering out JavaScript. One injected payload, infinite victims. That is the power of stored XSS.