katie482
katie482 3d ago β€’ 0 views

Difference Between Stored, Reflected, and DOM-Based XSS

Hey there! πŸ‘‹ Ever get confused about the different types of XSS vulnerabilities? Stored, Reflected, DOM-based... it can be a bit overwhelming! Let's break it down in a simple, easy-to-understand way. πŸ€“
πŸ’» Computer Science & Technology

1 Answers

βœ… Best Answer
User Avatar
jeremy.wilson Dec 28, 2025

πŸ“š What is Stored XSS?

Stored XSS (also known as persistent XSS) is when malicious code is injected directly into the target application's database. This means that every time a user visits the affected page, the script is executed from the server. Think of it like graffiti on a popular wall; everyone who walks by sees it.

  • πŸ’Ύ Persistence: The payload is permanently stored on the server (e.g., in a database, file system, etc.).
  • 🎯 Impact: Affects all users who access the stored data.
  • πŸ›‘οΈ Detection: Easier to detect as the malicious code is stored on the server.

🌍 What is Reflected XSS?

Reflected XSS (also known as non-persistent XSS) is where the malicious script bounces off the web server. It's included as part of the request and is reflected back to the user. Imagine someone shouting something offensive; only the person who hears the echo is affected.

  • πŸ“€ Non-Persistence: The payload is part of the request and not stored on the server.
  • πŸ‘€ Impact: Affects users who click a malicious link or submit a crafted form.
  • 🚨 Detection: More difficult to detect than stored XSS, requires careful input validation.

πŸ§ͺ What is DOM-Based XSS?

DOM-based XSS occurs entirely within the client-side code. The malicious script manipulates the Document Object Model (DOM) of the page. Think of it like rewriting the text in a book while you're reading it; the changes only affect you.

  • πŸ’» Client-Side: The entire vulnerability exists in the client-side code.
  • βš™οΈ Mechanism: Exploits vulnerabilities in client-side scripts to modify the DOM.
  • πŸ•΅οΈ Detection: The most difficult to detect as it doesn't necessarily involve server-side interaction.

βš”οΈ XSS Types: A Side-by-Side Comparison

Feature Stored XSS Reflected XSS DOM-Based XSS
Location of Payload Server-side (Database, File System) URL Parameter/Request Body Client-side (DOM)
Persistence Persistent Non-Persistent Non-Persistent (but can be made persistent through other means)
Attack Vector Visiting an infected page Clicking a malicious link Manipulating the DOM through client-side scripts
Difficulty of Detection Relatively Easier Medium Most Difficult
Example Posting a malicious comment that is displayed to all users. Clicking a link with a malicious script in the URL. Client-side script reading a malicious value from the URL and executing it.

πŸ”‘ Key Takeaways

  • βœ… Stored XSS: The most dangerous type, as it affects all users.
  • πŸ’‘ Reflected XSS: Relies on tricking users into clicking malicious links.
  • πŸ›‘οΈ DOM-Based XSS: Hardest to detect, focuses on client-side manipulation.
  • πŸ“ Prevention: Proper input validation and output encoding are crucial for all types.

Join the discussion

Please log in to post your answer.

Log In

Earn 2 Points for answering. If your answer is selected as the best, you'll get +20 Points! πŸš€