Difference Between Stored Cross Site Scripting and Reflected Cross Site Scripting

Cross-site scripting is a client-side attack where the hacker injects malicious code into the vulnerable web application or website. This attack can cause huge damage to the business and its clients, the consequences may include- password stealing, redirection to malicious sites, page content modifications, etc. If the attacker gets the session cookies of the authenticated user, he can impersonate himself as the authenticated user and continue executing tasks on behalf of the authenticated user. XSS vulnerabilities have been used to create social network worms, spread malware, deface websites, and Phish for credentials.

Cross-site scripting is of two types:

1. Stored XSS.
2. Reflected XSS.

1. Stored XSS: The vulnerabilities in which the hacker injects malicious codes directly into the database or server. Here, the application or website receives malicious data or code from unauthorized sources and stores it in the system without checking. When a victim opens the affected web page in a browser, the XSS attack code is shown to the victim’s browser as part of the HTML code (just like a legitimate comment would). Hence, the victim will end up executing the malicious script once the page is viewed in their browser.

2. Reflected XSS: This vulnerability allows the hacker to inject malicious code into the victim’s browser in the form of HTML code. The user gets infected with the code only when he clicks on it. Reflected XSS is less dangerous compared to Stored XSS because the malicious content is not stored permanently in the database/server. There are various ways in which an attacker might induce a victim user to make a request that they control, to deliver a reflected XSS attack. These include putting links on a website controlled by the attacker, or by sending a link in an email, tweet, or ad pop-ups.