Cross-Site Scripting (XSS)
Stored attacks are those where the injected script is permanently stored on the target servers, in places such as databases, message forums, visitor logs, and comment fields. The victim retrieves the malicious script from the server when it requests the stored information. Stored XSS is also known as Persistent or Type-I. Reflected attacks are those where the injected script is reflected off the web server, example, an error message or search result, or any other response that includes input sent to the server as part of the request. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or browsing to a malicious site, the injected code is sent to the vulnerable web site which then reflects the attack back to the user’s browser which executes the code.
XSS flaws can be difficult to identify. The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output. Note: If one part of a website is vulnerable, there is a good chance that there are other problems as well. (OWASP Web. 2014).
OWASP Web. (2014, April). Cross-site Scripting (XSS). Retrieved August 14, 2015, from https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)