[Owasp-topten] Reflected or Stored XSS?

Zaki Akhmad zakiakhmad at gmail.com
Fri Apr 3 05:08:36 EDT 2009

On Fri, Apr 3, 2009 at 12:17 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:

> Stored XSS is where you send in data to the application, and it is
> persisted permanently somewhere, like a blog entry, or your user
> profile, or some other persistent data location, and then someone else
> later on can come and retrieve that data and get attacked by the script.
> Reflected is where the script is sent to the site and immediately sent
> back in the response (like in an error message, or confirmation page, or
> form repost, or whatever) and the data is NOT stored permanently on the
> site.

Thanks for the explanation Dave.

If stored XSS will be executed as long the script is on the server
(eg: database) what about the reflected? Is reflected XSS only execute
just once because it's NOT stored permanently?

Zaki Akhmad

More information about the Owasp-topten mailing list