[Owasp-topten] Reflected or Stored XSS?

Dave Wichers dave.wichers at aspectsecurity.com
Fri Apr 3 07:33:37 EDT 2009

Yep. That’s right. Reflected gets executed only once (from the target server's perspective). However, the source of the reflected attack is usually permanent somewhere else out on the internet, like some other web site, or a million spam e-mails or whatever, so the same attack may get sent (and reflected) many times, just like a stored attack.

However, the reflected attack is less likely to successfully work than a stored attack because its less likely that the user is logged in to the site when the reflected attack fires, which is why reflected vulnerabilities are less risky than stored XSS vulns.


-----Original Message-----
From: Zaki Akhmad [mailto:zakiakhmad at gmail.com] 
Sent: Friday, April 03, 2009 5:09 AM
To: Dave Wichers
Cc: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] Reflected or Stored XSS?

On Fri, Apr 3, 2009 at 12:17 AM, Dave Wichers
<dave.wichers at aspectsecurity.com> wrote:

> Stored XSS is where you send in data to the application, and it is
> persisted permanently somewhere, like a blog entry, or your user
> profile, or some other persistent data location, and then someone else
> later on can come and retrieve that data and get attacked by the script.
> Reflected is where the script is sent to the site and immediately sent
> back in the response (like in an error message, or confirmation page, or
> form repost, or whatever) and the data is NOT stored permanently on the
> site.

Thanks for the explanation Dave.

If stored XSS will be executed as long the script is on the server
(eg: database) what about the reflected? Is reflected XSS only execute
just once because it's NOT stored permanently?

Zaki Akhmad

More information about the Owasp-topten mailing list