[Owasp-topten] Reflected or Stored XSS?
dave.wichers at aspectsecurity.com
Thu Apr 2 13:17:33 EDT 2009
Stored XSS is where you send in data to the application, and it is
persisted permanently somewhere, like a blog entry, or your user
profile, or some other persistent data location, and then someone else
later on can come and retrieve that data and get attacked by the script.
Reflected is where the script is sent to the site and immediately sent
back in the response (like in an error message, or confirmation page, or
form repost, or whatever) and the data is NOT stored permanently on the
It is simple to test for this. You don't need access to code to figure
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Zaki Akhmad
Sent: Thursday, April 02, 2009 12:03 PM
To: owasp-topten at lists.owasp.org
Subject: [Owasp-topten] Reflected or Stored XSS?
I have a question. How do I differentiate between reflected or stored
XSS? Is it the source code *must* be available (I mean we get the
access to read it / they give the source code to me as a reviewer) so
that I can differentiate between them?
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
More information about the Owasp-topten