Reflected XSS: Differences and Relationship with Stored and DOM XSS

  • Home
  • Reflected XSS: Differences and Relationship with Stored and DOM XSS
a broken lock and reflection

Cross-site Scripting (XSS) is a prevalent security vulnerability in web applications that allows attackers to inject malicious scripts into web pages viewed by users. In this blog post, we will explore the concept of reflected XSS, compare it with stored and DOM XSS, and discuss if reflected XSS can also be stored or DOM XSS.

Reflected XSS: An Overview

Reflected XSS occurs when a web application includes unsanitized user input in its response. The attacker crafts a URL containing the malicious script and sends it to the victim. When the victim clicks on the link, the web application reflects the script back to the user’s browser, where it is executed. Since the script is not stored on the server, the attack relies on social engineering to trick users into clicking the malicious link.

Stored XSS: A Comparison

Stored XSS, also known as persistent XSS, differs from reflected XSS in that the malicious script is saved on the server. The attacker submits the malicious payload through a form, comment, or any input field that is stored in the web application’s database. When users access the affected page, their browsers execute the stored script.

Key differences between reflected and stored XSS include:

  • Reflected XSS requires user interaction (clicking a link), while stored XSS does not.
  • Reflected XSS is not saved on the server, while stored XSS is.
  • Stored XSS typically affects multiple users, whereas reflected XSS targets specific victims.

DOM XSS: A Comparison

DOM XSS is a type of XSS vulnerability that occurs when a web application processes user input insecurely in the client-side JavaScript code. The attack takes place in the browser’s Document Object Model (DOM) when a user input is handled unsafely by the JavaScript code. Unlike reflected and stored XSS, DOM XSS does not rely on server-side processing of the payload.

Key differences between reflected and DOM XSS include:

  • Reflected XSS involves server-side processing, while DOM XSS occurs entirely in the client’s browser.
  • Reflected XSS requires the malicious payload to be part of the URL, while DOM XSS does not.

Can Reflected XSS also be Stored or DOM XSS?

In some cases, a reflected XSS vulnerability can also be a DOM XSS vulnerability. This occurs when the web application uses client-side JavaScript to process user input and manipulate the DOM without proper sanitization. In this scenario, the payload is part of the URL (as in reflected XSS) but is executed in the DOM, combining both attack types.

However, it is essential to note that reflected XSS cannot be stored XSS, as these are distinct attack types with different mechanisms. Reflected XSS relies on user interaction and is not stored on the server, while stored XSS is saved on the server and does not require user interaction to execute the malicious script.


Understanding the differences between reflected, stored, and DOM XSS is crucial in developing secure web applications. While there are instances where a reflected XSS vulnerability can also be a DOM XSS vulnerability, it is essential to remember that reflected and stored XSS are separate attack types. Developers should employ proper input validation, output encoding, and secure coding practices to protect web applications from XSS vulnerabilities.

Check out the following links to learn more:

Portswigger XSS