Cross Site Scripting

What Is the Difference Between Stored and Reflected XSS?

By Charles Joseph | Cybersecurity Advocate

Stored XSS, also known as persistent XSS, occurs when malicious code is injected directly into a web application and then stored on the server, typically in a database.

This type of attack is dangerous because the injected code is executed every time a user accesses the affected web page or application.

For example, an attacker might inject malicious code into a comment section, and when other users view that comment, their browser unknowingly executes the malicious script.

The attacker can then potentially steal sensitive information, impersonate the user, or manipulate the website content.

Stored XSS (Video)

Reflected XSS, also known as non-persistent XSS, occurs when an attacker tricks a user into clicking a specially crafted link containing malicious code.

The link, when clicked, sends a request to the web application, which then includes the malicious code in its response.

The victim’s browser treats the code as legitimate and executes it.

This type of attack is usually less dangerous than stored XSS because it requires user interaction (clicking the link) and doesn’t persistently affect the web application.

However, it can still lead to sensitive information theft or other negative consequences if the user is successfully tricked into clicking the link.

Join Our Community

And Get Our Best Stuff for FREE
We respect your privacy and you can unsubscribe anytime.

Reflected XSS (Video)

Summary

In summary, the main differences between stored and reflected XSS are:

  1. Stored XSS involves malicious code being saved on the server, while reflected XSS requires the user to interact with a malicious link.
  2. Stored XSS is persistent, affecting all users who access the affected page or application, while reflected XSS is non-persistent and relies on user interaction.
  3. Stored XSS typically has a broader impact and poses a greater risk.
QUOTE:
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional