[Owasp-topten] Reflected or Stored XSS?

Dave Wichers dave.wichers at aspectsecurity.com
Thu Apr 2 13:17:33 EDT 2009

Stored XSS is where you send in data to the application, and it is
persisted permanently somewhere, like a blog entry, or your user
profile, or some other persistent data location, and then someone else
later on can come and retrieve that data and get attacked by the script.

Reflected is where the script is sent to the site and immediately sent
back in the response (like in an error message, or confirmation page, or
form repost, or whatever) and the data is NOT stored permanently on the

It is simple to test for this. You don't need access to code to figure
this out.


-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Zaki Akhmad
Sent: Thursday, April 02, 2009 12:03 PM
To: owasp-topten at lists.owasp.org
Subject: [Owasp-topten] Reflected or Stored XSS?


I have a question. How do I differentiate between reflected or stored
XSS? Is it the source code *must* be available (I mean we get the
access to read it / they give the source code to me as a reviewer) so
that I can differentiate between them?

Zaki Akhmad
Owasp-topten mailing list
Owasp-topten at lists.owasp.org

More information about the Owasp-topten mailing list