Reflected and Stored XSS

Two kinds of XSS attack exist: Reflected XSS attacks and Stored XSS attacks.

A reflected XSS attack happens when the XSS-infected page is returned immediately by the target webpage.

The example in the previous lesson is a reflected attack: after the malicious string is sent as the "name" parameter, the XSS-infected page is returned right away.

For this type of attack to succeed, the attacker must trick the victim into clicking on a malicious link, or into opening a malicious page from where to redirect the victim to the target website.

A stored XSS attack works differently.

This type of attack takes place in two stages:

  1. First, the attacker compromises the target website by injecting the XSS code into the website storage space (usually the database).
  2. Then, every time a user opens the XSS-infected site, the XSS code is returned to the user.

This attack is possible in many contexts where the attacker is allowed to save some data, for example in forum posts or in blog comments.

Stored XSS example

Let's see an example of a stored XSS attack.

Let's say that you have an online forum where users can add their signatures.

The signature is added automatically to each message that users post on the forum.

The signature is stored on the database. When a forum message is shown, the signature of the message owner is retrieved and added to the message's HTML code.

Like this:

Usually, a signature is a mix of text and images. But what if a malicious user adds something more?

For example, take a look at the following signature code:

If a malicious user sets its signature like that, every forum user will see the signature containing a fake image like this:

The JavaScript code embedded in the signature creates a link with the page's cookies, including the forum's Session ID.

When the user browser tries to load the image by following the src link, the user's own Session ID is sent to the attacker's website.

Now, the attacker has obtained the user's Session ID and can impersonate the user on the forum.

Lesson Key Point


The attacker can inject any JavaScript code inside the signature and perform even more complex operations.

Moreover, because the code is executed by the victim user, all such operations will be executed with the privileges of the victim user.

For example, the attacker can inject an AJAX-based request that:

  1. reads the user's private page on the website;
  2. gets its sensitive data like the email address and the phone number;
  3. finally sends everything to the attacker's site.

XSS attacks can also make the victim users perform disruptive operations, like deleting the users' posts on the forum.

So, how do you defend against these dangerous attacks?

Let’s find out in the next lesson.

Lesson takeaways

  • Stored XSS attacks target all the users of the compromised website.
  • An attacker can leverage an XSS vulnerability to obtain the users' private data.
  • XSS attacks can also force the victim users to perform disruptive operations.

Complete and Continue