Difference Between Stored Cross Site Scripting and Reflected Cross Site Scripting
Cross-site scripting is a client-side attack where the hacker injects malicious code into the vulnerable web application or website. This attack can cause huge damage to the business and its clients, the consequences may include- password stealing, redirection to malicious sites, page content modifications, etc. If the attacker gets the session cookies of the authenticated user, he can impersonate himself as the authenticated user and continue executing tasks on behalf of the authenticated user. XSS vulnerabilities have been used to create social network worms, spread malware, deface websites, and Phish for credentials.
Cross-site scripting is of two types:
- Stored XSS.
- Reflected XSS.
1. Stored XSS: The vulnerabilities in which the hacker injects malicious codes directly into the database or server. Here, the application or website receives malicious data or code from unauthorized sources and stores it in the system without checking. When a victim opens the affected web page in a browser, the XSS attack code is shown to the victim’s browser as part of the HTML code (just like a legitimate comment would). Hence, the victim will end up executing the malicious script once the page is viewed in their browser.
2. Reflected XSS: This vulnerability allows the hacker to inject malicious code into the victim’s browser in the form of HTML code. The user gets infected with the code only when he clicks on it. Reflected XSS is less dangerous compared to Stored XSS because the malicious content is not stored permanently in the database/server. There are various ways in which an attacker might induce a victim user to make a request that they control, to deliver a reflected XSS attack. These include putting links on a website controlled by the attacker, or by sending a link in an email, tweet, or ad pop-ups. STORED XSS REFLECTED XSS
Also known as permanent XSS. Also known as temporary XSS. Malicious code is stored in the application. Malicious code is not stored in the application. Causes more damage to the web application or website. Causes less damage to the web application or website. Targets all users using the web application or website. Targets few users using the web application or website. The malicious code is activated when the victim visits the Compromised web page. The malicious code is activated after a link is clicked. Harder to perform. Easier to perform.
Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.