All notes



Stored XSS is persisted into the system and hence is visible to anyone else who comes and reads the content stored. For example, if I edit a page in wikipedia and inject some javascript code, that will be visible to all new visitors.

Reflected XSS on other hand is like I input some code, which is reflected back to me alone. This one will not be in general visible to others, however such a vulnerability can be utilized by hacker for "clickjacking". Suppose an url parameter for a search results page can be converted to a code script. This url can be send people over emails and they would click on it to see the malicious code executed on our business site. Though no such code existed in our site, lack of input validation will result in such urls to show malicious content on our site as if it were there and business owner will lose their brand reputation.