×
1 Choose EITC/EITCA Certificates
2 Learn and take online exams
3 Get your IT skills certified

Confirm your IT skills and competencies under the European IT Certification framework from anywhere in the world fully online.

EITCA Academy

Digital skills attestation standard by the European IT Certification Institute aiming to support Digital Society development

LOG IN TO YOUR ACCOUNT

CREATE AN ACCOUNT FORGOT YOUR PASSWORD?

FORGOT YOUR PASSWORD?

AAH, WAIT, I REMEMBER NOW!

CREATE AN ACCOUNT

ALREADY HAVE AN ACCOUNT?
EUROPEAN INFORMATION TECHNOLOGIES CERTIFICATION ACADEMY - ATTESTING YOUR PROFESSIONAL DIGITAL SKILLS
  • SIGN UP
  • LOGIN
  • INFO

EITCA Academy

EITCA Academy

The European Information Technologies Certification Institute - EITCI ASBL

Certification Provider

EITCI Institute ASBL

Brussels, European Union

Governing European IT Certification (EITC) framework in support of the IT professionalism and Digital Society

  • CERTIFICATES
    • EITCA ACADEMIES
      • EITCA ACADEMIES CATALOGUE<
      • EITCA/CG COMPUTER GRAPHICS
      • EITCA/IS INFORMATION SECURITY
      • EITCA/BI BUSINESS INFORMATION
      • EITCA/KC KEY COMPETENCIES
      • EITCA/EG E-GOVERNMENT
      • EITCA/WD WEB DEVELOPMENT
      • EITCA/AI ARTIFICIAL INTELLIGENCE
    • EITC CERTIFICATES
      • EITC CERTIFICATES CATALOGUE<
      • COMPUTER GRAPHICS CERTIFICATES
      • WEB DESIGN CERTIFICATES
      • 3D DESIGN CERTIFICATES
      • OFFICE IT CERTIFICATES
      • BITCOIN BLOCKCHAIN CERTIFICATE
      • WORDPRESS CERTIFICATE
      • CLOUD PLATFORM CERTIFICATENEW
    • EITC CERTIFICATES
      • INTERNET CERTIFICATES
      • CRYPTOGRAPHY CERTIFICATES
      • BUSINESS IT CERTIFICATES
      • TELEWORK CERTIFICATES
      • PROGRAMMING CERTIFICATES
      • DIGITAL PORTRAIT CERTIFICATE
      • WEB DEVELOPMENT CERTIFICATES
      • DEEP LEARNING CERTIFICATESNEW
    • CERTIFICATES FOR
      • EU PUBLIC ADMINISTRATION
      • TEACHERS AND EDUCATORS
      • IT SECURITY PROFESSIONALS
      • GRAPHICS DESIGNERS & ARTISTS
      • BUSINESSMEN AND MANAGERS
      • BLOCKCHAIN DEVELOPERS
      • WEB DEVELOPERS
      • CLOUD AI EXPERTSNEW
  • FEATURED
  • SUBSIDY
  • HOW IT WORKS
  •   IT ID
  • ABOUT
  • CONTACT
  • MY ORDER
    Your current order is empty.
EITCIINSTITUTE
CERTIFIED

What is the difference between reflected XSS and stored XSS?

by EITCA Academy / Saturday, 05 August 2023 / Published in Cybersecurity, EITC/IS/WASF Web Applications Security Fundamentals, Cross-site scripting, Cross-Site Scripting (XSS), Examination review

Reflected XSS and stored XSS are two types of cross-site scripting (XSS) vulnerabilities that can compromise the security of web applications. While they both involve injecting malicious code into a website, they differ in how the code is delivered and executed.

Reflected XSS, also known as non-persistent XSS, occurs when the injected code is embedded in a URL parameter or a form input field. The malicious code is then reflected back to the user's browser without being stored on the server. When the user visits a specially crafted link or submits a manipulated form, the injected code is executed in the context of the victim's browser. This can lead to various attacks, such as stealing sensitive information, session hijacking, or defacing the website.

For example, consider a vulnerable search functionality that echoes the user's input without proper sanitization. An attacker could construct a malicious URL like:

https://example.com/search?query=<script>alert('XSS')</script>

When a victim clicks on this link, the script tag and its payload are reflected back in the search results page, causing the alert to pop up in the victim's browser.

On the other hand, stored XSS, also known as persistent XSS, involves injecting malicious code that is permanently stored on the target server. This type of vulnerability arises when user-supplied data is stored in a database or a file and later retrieved and displayed on web pages without proper sanitization. The injected code is then served to every user who accesses the affected page, increasing the potential impact of the attack.

For instance, imagine a comment section on a blog where user comments are not properly sanitized. An attacker could post a comment containing malicious JavaScript code:

<script>document.cookie='session_id=123456';</script>

Whenever a user views the blog post, the script tag and its payload are rendered by the server, allowing the attacker to steal the victim's session cookie.

To summarize, the main difference between reflected XSS and stored XSS lies in how the malicious code is delivered and executed. Reflected XSS involves injecting code that is immediately reflected back to the user's browser, while stored XSS involves injecting code that is stored on the server and served to multiple users. Both types of XSS vulnerabilities can have severe consequences, compromising the confidentiality, integrity, and availability of web applications.

Other recent questions and answers regarding Cross-site scripting:

  • Do stored XSS attacks occur when a malicious script is included in a request to a web application and then sent back to the user?
  • What is Content Security Policy (CSP) and how does it help mitigate the risk of XSS attacks?
  • Describe how an attacker can inject JavaScript code disguised as a URL in a server's error page to execute malicious code on the site.
  • Explain how AngularJS can be exploited to execute arbitrary code on a website.
  • How does an attacker exploit a vulnerable input field or parameter to perform an echoing XSS attack?
  • What is cross-site scripting (XSS) and why is it considered a common vulnerability in web applications?
  • What is the proposed solution in the research paper "CSP is dead, long live CSP" to address the challenges of CSP implementation?
  • What are the limitations and challenges associated with implementing CSP?
  • How does Content Security Policy (CSP) help protect against XSS attacks?
  • What are some common defenses against XSS attacks?

View more questions and answers in Cross-site scripting

More questions and answers:

  • Field: Cybersecurity
  • Programme: EITC/IS/WASF Web Applications Security Fundamentals (go to the certification programme)
  • Lesson: Cross-site scripting (go to related lesson)
  • Topic: Cross-Site Scripting (XSS) (go to related topic)
  • Examination review
Tagged under: Cross-Site Scripting, Cybersecurity, Reflected XSS, Stored XSS, Web Application Security, XSS
Home » Cross-site scripting / Cross-Site Scripting (XSS) / Cybersecurity / EITC/IS/WASF Web Applications Security Fundamentals / Examination review » What is the difference between reflected XSS and stored XSS?

Certification Center

USER MENU

  • My Account

CERTIFICATE CATEGORY

  • EITC Certification (105)
  • EITCA Certification (9)

What are you looking for?

  • Introduction
  • How it works?
  • EITCA Academies
  • EITCI DSJC Subsidy
  • Full EITC catalogue
  • Your order
  • Featured
  •   IT ID
  • EITCA reviews (Medium publ.)
  • About
  • Contact

EITCA Academy is a part of the European IT Certification framework

The European IT Certification framework has been established in 2008 as a Europe based and vendor independent standard in widely accessible online certification of digital skills and competencies in many areas of professional digital specializations. The EITC framework is governed by the European IT Certification Institute (EITCI), a non-profit certification authority supporting information society growth and bridging the digital skills gap in the EU.

Eligibility for EITCA Academy 80% EITCI DSJC Subsidy support

80% of EITCA Academy fees subsidized in enrolment by

    EITCA Academy Secretary Office

    European IT Certification Institute ASBL
    Brussels, Belgium, European Union

    EITC / EITCA Certification Framework Operator
    Governing European IT Certification Standard
    Access contact form or call +32 25887351

    Follow EITCI on X
    Visit EITCA Academy on Facebook
    Engage with EITCA Academy on LinkedIn
    Check out EITCI and EITCA videos on YouTube

    Funded by the European Union

    Funded by the European Regional Development Fund (ERDF) and the European Social Fund (ESF) in series of projects since 2007, currently governed by the European IT Certification Institute (EITCI) since 2008

    Information Security Policy | DSRRM and GDPR Policy | Data Protection Policy | Record of Processing Activities | HSE Policy | Anti-Corruption Policy | Modern Slavery Policy

    Automatically translate to your language

    Terms and Conditions | Privacy Policy
    EITCA Academy
    • EITCA Academy on social media
    EITCA Academy


    © 2008-2025  European IT Certification Institute
    Brussels, Belgium, European Union

    TOP
    Chat with Support
    Chat with Support
    Questions, doubts, issues? We are here to help you!
    End chat
    Connecting...
    Do you have any questions?
    Do you have any questions?
    :
    :
    :
    Send
    Do you have any questions?
    :
    :
    Start Chat
    The chat session has ended. Thank you!
    Please rate the support you've received.
    Good Bad