๐ŸŒ
Inspectiv
inspectiv.com โ€บ articles โ€บ differences-of-stored-xss-and-reflected-xss
Differences of Stored XSS and Reflected XSS
October 10, 2025 - Because stored XSS affects anyone who interacts with the web application directly, any authenticated users can quickly experience account takeover, as exemplified in the TweetDeck attack. As opposed to reflected XSS, where attackers play a waiting game since they need the user to click on the malicious link to then reflect the malicious request off of the web application.
๐ŸŒ
GeeksforGeeks
geeksforgeeks.org โ€บ computer networks โ€บ difference-between-stored-cross-site-scripting-and-reflected-cross-site-scripting
Difference Between Stored Cross Site Scripting and Reflected Cross Site Scripting - GeeksforGeeks
August 6, 2024 - Reflected XSS occurs when an attacker tricks a user into clicking a link with harmful code.
Discussions
Stored XSS vs Reflected XSS
Stored XSS means the JavaScript is saved somewhere on the server side, either in a database, a file created and persistently available, etc. One example might be your profile page on a social media website, or a description of an item you're selling in an online shop. Usually stored XSS payloads will be accessed by others navigating around the site naturally, but they can also be fed links to bring them to the affected content. So, if someone encounters your affected profile page or shop listing, one way or another, the payload will execute. This is also referred to as persistent XSS occasionally. The word "reflected" in reflected XSS is a bit confusing, but it means that the payload is taken from a web request and included in the response. For example, if you query a search engine for "foobar," the resulting web page may say something like "Search results for foobar:" above the links it turns up. The "foobar" string is being reflected by the server. If this reflection is a vector for XSS, you're likely able to feed a link to a victim to get them to execute it, e.g. https://search.example/?q=foobar . There is a third kind of XSS, more popular now than ever: DOM-based XSS, where a payload is taken from one inert part of the DOM and unsafely inserted into a different part. The source is often the fragment identifier but doesn't need to be. I recommend the PortSwigger's Web Security Academy or even classic OWASP for a rundown on basic web application vulnerability classifications like this. More on reddit.com
๐ŸŒ r/AskComputerScience
2
2
January 22, 2022
What is the difference between stored and reflected XSS? - Cyber Security - Discussion Forum | Board Infinity
In this, the victim retrieves the malicious script from the server when requests the stored information. Reflected XSS Attacks - In this, the user has to send the request first, then it will start running on the victimโ€™s browser and reflects results from the browser to the user who sent the ... More on discuss.boardinfinity.com
๐ŸŒ discuss.boardinfinity.com
0
July 13, 2021
What is the difference between stored xss and reflected xss? - Stack Overflow
I was not able to understand what the difference between stored xss and reflected xss is. Can you tell me with an example? More on stackoverflow.com
๐ŸŒ stackoverflow.com
Self XSS vs Reflected XSS
you are partly correct, if its reflected in url it is reflected xss but that doesnt mean other cases are self . self means you can not use it to exploit another user execept your self . read my answer again carefully . self xss can occur as stored xss or Dom xss . More on stackoverflow.com
๐ŸŒ stackoverflow.com
Videos
29:07
๐ŸŒ YouTube
Stored, Blind, Reflected and DOM - Everything Cross--Site Scripting ...
May 5, 2023
๐ŸŒ youtube.com
Demystifying XSS: Reflected vs. Stored | Hands-On Portswigger Labs ...
April 28, 2024
08:41
๐ŸŒ YouTube
โŒ XSS Attacks Explained โ€“ How HACKERS steal data with one line ...
February 22, 2025
๐ŸŒ youtube.com
XSS Explained in 3 Minutes: Reflected, Stored, and DOM ...
03:14
๐ŸŒ YouTube
How Is Stored XSS Different From Reflected XSS? - YouTube
November 29, 2025
02:16
๐ŸŒ YouTube
What Is the Difference Between Stored and Reflected XSS? - ...
November 5, 2024
10
View all
View all
๐ŸŒ
OWASP Foundation
owasp.org โ€บ www-community โ€บ Types_of_Cross-Site_Scripting
Types of XSS | OWASP Foundation
In some cases, the user provided data may never even leave the browser (see DOM Based XSS below). Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc.
๐ŸŒ
Reddit
reddit.com โ€บ r/askcomputerscience โ€บ stored xss vs reflected xss
r/AskComputerScience on Reddit: Stored XSS vs Reflected XSS
January 22, 2022 -

Stored XSS: The malicious script is stored on the webserver.

Reflected XSS: The malicious script is reflected off the webserver.

But the above doesn't help me. Can you please explain it to me (reflected, in specific) ?

Top answer
1 of 1
4
Stored XSS means the JavaScript is saved somewhere on the server side, either in a database, a file created and persistently available, etc. One example might be your profile page on a social media website, or a description of an item you're selling in an online shop. Usually stored XSS payloads will be accessed by others navigating around the site naturally, but they can also be fed links to bring them to the affected content. So, if someone encounters your affected profile page or shop listing, one way or another, the payload will execute. This is also referred to as persistent XSS occasionally. The word "reflected" in reflected XSS is a bit confusing, but it means that the payload is taken from a web request and included in the response. For example, if you query a search engine for "foobar," the resulting web page may say something like "Search results for foobar:" above the links it turns up. The "foobar" string is being reflected by the server. If this reflection is a vector for XSS, you're likely able to feed a link to a victim to get them to execute it, e.g. https://search.example/?q=foobar . There is a third kind of XSS, more popular now than ever: DOM-based XSS, where a payload is taken from one inert part of the DOM and unsafely inserted into a different part. The source is often the fragment identifier but doesn't need to be. I recommend the PortSwigger's Web Security Academy or even classic OWASP for a rundown on basic web application vulnerability classifications like this.
๐ŸŒ
PortSwigger
portswigger.net โ€บ web-security โ€บ cross-site-scripting
What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy
Reflected XSS, where the malicious script comes from the current HTTP request. Stored XSS, where the malicious script comes from the website's database.
๐ŸŒ
Trend Micro
trendmicro.com โ€บ en_us โ€บ research โ€บ 23 โ€บ e โ€บ cross-site-scripting-xss-attacks.html
3 Types of Cross-Site Scripting (XSS) Attacks | Trend Micro (US)
May 11, 2023 - A strong CSP gives you control of scripts and the web page locations where they may be loaded and run. ... In a stored XSS attack, a malicious script saves user input to the target server.
๐ŸŒ
GraphNode
graphnodesoftware.com โ€บ blog โ€บ stored-vs-reflected-xss
Stored vs Reflected XSS: Two Attacks, Different Detection
April 26, 2026 - The attacker steals what the legitimate ... where the unsafe data enters the pipeline and how it reaches the sink. Reflected XSS is the URL-parameter case....
Find elsewhere
๐ŸŒ
Brierandthorn
brierandthorn.com โ€บ post โ€บ cross-site-scripting-101-stored-vs-reflected
Cross-Site Scripting 101: Stored vs Reflected, Fortnite, and general sanitization
October 20, 2022 - The biggest difference between stored and reflected XSS attacks is that stored ones do not need to induce the user to make a request containing the exploit, the exploit is already in the application and only the user is expected to find it.
๐ŸŒ
Medium
serhiikoziy.medium.com โ€บ xss-attacks-stored-and-reflected-fcc6926f231e
XSS Attacks: Stored and Reflected | by Serhii Koziy | Medium
January 21, 2025 - Stored XSS: The malicious script is permanently stored on the target server (e.g., in a database or file system). Victims unknowingly execute the script when they access the infected data.
๐ŸŒ
Medium
medium.com โ€บ @sudip-says-hi โ€บ what-is-stored-xss-and-how-to-prevent-it-4102a5a4f9d4
What Is Stored Xss And How To Prevent It | by Sudip Sengupta | Medium
May 26, 2022 - Stored XSS differs from reflected XSS. In reflected XSS, the server executes the malicious content and includes it only in the immediate HTTP response, whereas, in stored XSS, the arbitrary code gets stored.
๐ŸŒ
Medium
hacking-notes.medium.com โ€บ from-reflected-to-stored-unveiling-hidden-vulnerabilities-of-self-xss-3f3c021014ee
From Reflected to Stored: Unveiling Hidden Vulnerabilities of Self XSS | by Hacking Notes | Medium
August 23, 2024 - When the malicious script is reflected ... malicious actions. Stored XSS, on the other hand, involves injecting malicious scripts into a web application where they are then stored and served to other users....
๐ŸŒ
DevCentral
community.f5.com โ€บ devcentral โ€บ articles โ€บ technical articles
Detailed Analysis of Cross-Site Scripting (XSS) security exploit paths.
June 6, 2023 - Due to their nonpersistent nature, the malicious code is not stored on the vulnerable webserver, and hence it is generally necessary to trick a victim into opening a malicious link in order to exploit a reflected XSS vulnerability.
๐ŸŒ
Bright Security
brightsec.com โ€บ blog โ€บ stored-xss
Stored XSS: Impact, Examples, and Prevention - Bright Security
August 10, 2025 - This is in contrast to a reflected XSS attack, in which victims must click a malicious link to be affected. This means stored XSS can impact many more website users, including those who are security conscious and careful about clicking unknown links.
๐ŸŒ
Board Infinity
discuss.boardinfinity.com โ€บ cyber security
What is the difference between stored and reflected XSS? - Cyber Security - Discussion Forum | Board Infinity
July 13, 2021 - Stored XSS Attacks - The attacks where the injected scripts are stored on the target servers permanently. In this, the victim retrieves the malicious script from the server when requests the stored information.
๐ŸŒ
Quora
websecuritytips.quora.com โ€บ 4-important-stored-xss-vs-reflected-xss-differences
4 important stored xss vs reflected xss differences
Here we share web security articles and vulnerabilities prevention
๐ŸŒ
Stack Overflow
stackoverflow.com โ€บ questions โ€บ 45952778 โ€บ what-is-the-difference-between-stored-xss-and-reflected-xss
What is the difference between stored xss and reflected xss? - Stack Overflow
Top answer
1 of 3
11

Stored XSS means that some persistant data (typically stored in a database) are not sanitized in a page, which implies that everyone can be affected by the vulnerability. For example, imagine a forum where users' answers posted are not escaped. If someone posts a topic with some HTML on it, everyone that goes to the topic page will be affected! The risks can generally be important, since it affects all users and can widespread rapidly (a typical example is Myspace XSS worm which impacted one million users in 20 hours).

Reflected XSS, on the contrary, means that non-persistent data (generally data provided by the client through form submission) are not escaped. For instance, imagine a search engine where in the results list page, your search keywords are redisplayed (and not sanitized). You could then put html on your research and it will be executed. While the risks of this vulnerability are less obvious, since it only affects the user who made the injection, it can be a problem too. For example if a malicious user sends a link with the injection on it to a victim, and the victim clicks on the link.

2 of 3
3

With perspective of business impact on system

Stored XSS is persisted into the system and hence is visible to anyone else who comes and reads the content stored. For example, if I edit a page in wikipedia and inject some javascript code, that will be visible to all new visitors.

Reflected XSS on other hand is like I input some code, which is reflected back to me alone. This one will not be in general visible to others, however such a vulnerability can be utilized by hacker for clickjacking. Suppose an url parameter for a search results page can be converted to a code script. This url can be send people over emails and they would click on it to see the malicious code executed on our business site. Though no such code existed in our site, lack of input validation will result in such urls to show malicious content on our site as if it were there and business owner will lose their brand reputation.

๐ŸŒ
Invicti
invicti.com โ€บ learn โ€บ reflected-xss-non-persistent-cross-site-scripting
Reflected XSS (non-persistent cross-site scripting)
Reflected XSS is a type of cross-site ... script as part of the web page. The key difference compared to stored or persistent XSS is that the attack payload is not saved on the server....
๐ŸŒ
Coventry University
github.coventry.ac.uk โ€บ pages โ€บ aa9863 โ€บ 5067CEM โ€บ 8_XSS โ€บ TypesOfXss
Types of XSS - 5067CEM: Web Security
Inputs to databases are often sanitised, meaning it can be harder to get a stored XSS attack past the defences. On the other hand, reflected attacks will tend to crop up in debugging/user information, and are only visible to the user who sent the request.
๐ŸŒ
Stack Overflow
stackoverflow.com โ€บ questions โ€บ 62029554 โ€บ self-xss-vs-reflected-xss
Self XSS vs Reflected XSS
Top answer
1 of 2
5

Reflected XSS occurs when user input included in the url address is reflected in the page source un-unescape .
Now, a lot of things can be user input such as your input in search form , the url adress itself . an example is

https://vulnerable.com/<script>alert(1)</script>
lets say after visiting the url and you check the page source in your browser and you see <script>alert(1)</script> somewhere in the page source . This is a reflected xss and can be used to exploit other users since anyone who visited that link will have the xss fired and their cookies stolen if lacking the httponly flag

Self XSS self Xss is an xss that executes in the context of the user who submits the payload . Say web app has profile function and in the profile function you have an option to specify a nickname . now in this web app you cant view other user profiles , meaning thier is no way to make another user view your profile . Most bank apps are like this. Now, if the nick name parameter is vulnerable to xss , The xss here would be self xss because only you can view your user profile and the xss will only execute in your own context . You can agree that stealing your own cookies isnt of any impact

2 of 2
2

Reflected XSS vulnerabilities typically refer to links that you can trick people into clicking - if the user follows them then the javascript is executed, eg https://www.example.com/example?search=<script>alert(1);</script>

Self XSS vulnerabilities typically require the user to type something in, such as putting <script>alert(1);</script> in a form field where the value is not populated from a URL or form parameter. So you can only impact yourself with self XSS vulnerabilities unless you have a really gullible user :)

๐ŸŒ
Madanswer
madanswer.com โ€บ 33510 โ€บ what-is-the-difference-between-stored-and-reflected-xss-in-cybersecurity
What is the difference between stored and reflected XSS in CyberSecurity? - Madanswer Technologies Interview Questions Data|Agile|DevOPs|Python
September 10, 2020 - What is the difference between stored and reflected XSS in CyberSecurity?
Related queries
stored vs reflected xss example
dom-based xss
stored xss example
types of xss
stored xss
stored xss severity
stored xss owasp
stored vs reflected xss reddit