Stored vs. Reflected XSS
Compare stored and reflected cross-site scripting (XSS) vulnerabilities and common defenses against XSS attacks.
Comparison of Stored and Reflected XSS Vulnerabilities
Stored XSS:
- Definition: Stored XSS occurs when malicious scripts are injected into a website’s stored content, such as in a database, and are subsequently served to users without proper sanitization.
- Persistence: The malicious script is permanently stored on the target server and is served to users whenever the infected content is accessed.
- Example: An attacker posts a malicious script in a comment section, and every time users visit the page with the comment, the script executes.
- Impact: Can affect multiple users, leading to a broader scope of attack since the script is executed every time the stored content is accessed by any user.
Reflected XSS:
- Definition: Reflected XSS occurs when a malicious script is reflected off a web server, typically via a URL parameter, and immediately executed by the user’s browser.
- Persistence: The malicious script is not stored on the server; it is part of a URL and executed immediately upon being reflected back to the user.
- Example: An attacker crafts a URL containing a malicious script in a query parameter and tricks a user into clicking the URL, causing the script to execute.
- Impact: Typically affects a single user who clicks on the malicious link, making it a more targeted attack.
Common Defenses Against XSS Attacks
- Input Validation:
- Description: Validate all user inputs to ensure they conform to expected formats and reject malicious inputs.
- Stored XSS: Validate inputs before storing them in the database.
- Reflected XSS: Validate inputs before reflecting them back in the response.
- Output Encoding:
- Description: Encode data before displaying it in the browser to prevent the execution of malicious scripts.
- Stored XSS: Encode outputs when retrieving and displaying data from the database.
- Reflected XSS: Encode outputs when reflecting user inputs in the response.
- Content Security Policy (CSP):
- Description: Implement a CSP to restrict the sources from which scripts can be executed.
- Stored XSS: Helps mitigate the impact of stored scripts by limiting where scripts can be loaded from.
- Reflected XSS: Provides a defense-in-depth approach to prevent reflected scripts from executing.
- Sanitization Libraries:
- Description: Use trusted libraries to sanitize user inputs and outputs, removing or neutralizing malicious scripts.
- Stored XSS: Sanitize inputs before storing them and outputs before displaying them.
- Reflected XSS: Sanitize inputs before reflecting them back in the response.
- HTTPOnly and Secure Cookies:
- Description: Use HTTPOnly and Secure flags for cookies to prevent them from being accessible via JavaScript and to ensure they are only transmitted over HTTPS.
- Stored XSS: Reduces the risk of cookie theft via stored scripts.
- Reflected XSS: Reduces the risk of cookie theft via reflected scripts.
- Web Application Firewalls (WAFs):
- Description: Deploy a WAF to detect and block malicious requests that contain XSS payloads.
- Stored XSS: Can help detect and block malicious inputs before they are stored.
- Reflected XSS: Can help detect and block malicious reflected requests.
Summary Table
| Aspect | Stored XSS | Reflected XSS |
| Definition | Malicious scripts stored and served from the server | Malicious scripts reflected off the server and executed immediately |
| Persistence | Script is stored on the server | Script is part of a URL and not stored |
| Example | Malicious comment in a blog post | Malicious URL with a query parameter |
| Impact | Affects multiple users | Typically affects a single user |
| Input Validation | Validate inputs before storage | Validate inputs before reflection |
| Output Encoding | Encode outputs when retrieving data | Encode outputs when reflecting data |
| CSP | Limits script execution sources | Limits script execution sources |
| Sanitization | Sanitize inputs and outputs | Sanitize inputs and outputs |
| Cookies | Use HTTPOnly and Secure flags | Use HTTPOnly and Secure flags |
| WAFs | Block malicious inputs before storage | Block malicious reflected requests |
Conclusion
Both stored and reflected XSS vulnerabilities can have severe impacts on users and applications. Implementing comprehensive defenses, including input validation, output encoding, content security policies, sanitization, secure cookie practices, and web application firewalls, is essential to protect against these attacks.