Cross Site Scripting

What’s the Difference Between Stored and Reflected XSS?

 By Charles Joseph | Cybersecurity Advocate
 Last update: November 25, 2023

Stored XSS, also known as persistent XSS, occurs when malicious code is injected directly into a web application and then stored on the server, typically in a database.

This type of attack is dangerous because the injected code is executed every time a user accesses the affected web page or application.

For example, an attacker might inject malicious code into a comment section, and when other users view that comment, their browser unknowingly executes the malicious script.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

The attacker can then potentially steal sensitive information, impersonate the user, or manipulate the website content.

Stored XSS (Video)

Reflected XSS, also known as non-persistent XSS, occurs when an attacker tricks a user into clicking a specially crafted link containing malicious code.

The link, when clicked, sends a request to the web application, which then includes the malicious code in its response.

The victim’s browser treats the code as legitimate and executes it.

This type of attack is usually less dangerous than stored XSS because it requires user interaction (clicking the link) and doesn’t persistently affect the web application.

However, it can still lead to sensitive information theft or other negative consequences if the user is successfully tricked into clicking the link.

Reflected XSS (Video)


In summary, the main differences between stored and reflected XSS are:

  1. Stored XSS involves malicious code being saved on the server, while reflected XSS requires the user to interact with a malicious link.
  2. Stored XSS is persistent, affecting all users who access the affected page or application, while reflected XSS is non-persistent and relies on user interaction.
  3. Stored XSS typically has a broader impact and poses a greater risk.
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional