Unit 5 • Topic 5.1 • Application and Data Vulnerabilities
Cross-Site Scripting (XSS): Reflected vs Stored Attacks
A cross-site scripting (XSS) attack injects malicious code into a website that a victim's browser then executes. Because the code runs in the browser, it can steal session data or act as the user. The two types differ by how the code reaches the victim.
XSS code runs in the browser; it arrives by link or by being stored.
How XSS works
Websites use Javascript to run code in the visitor's browser. In an XSS attack, the adversary gets malicious Javascript onto a trusted site, and the victim's browser runs it as if it came from that site. That lets the code reach sensitive data the browser holds, like session tokens, usernames, and passwords.
The two types differ only by where the malicious code lives.
Reflected (Type I)
Stored (Type II)
Where the code lives
In a link the victim clicks
Saved on the site (comment, forum post, visitor log)
Who is affected
The one user who clicks the link
Every visitor who loads the page
Runs in
The victim's browser
The victim's browser
Scenario
An attacker posts a comment containing a script, and every visitor who views it runs the script. Which XSS type is this?
Reveal answer
Stored (Type II) XSS. The code is saved on the site through the comment field, so it executes for all visitors, not just one.
Exam tip
Where the code lives is the discriminator: in a clicked link = reflected (Type I), saved on the site = stored (Type II). Both run in the victim's browser.
Preventing and detecting XSS
Like SQL injection, XSS is defeated by input sanitization: cleaning and encoding user input so the browser treats it as text to display, not code to run. Building secure by design, distrusting all input, closes the gap.
When sanitization is missing, XSS attempts can be caught by reviewing user input for script tags.
Detection signature
Reviewing user input for script tags reveals XSS attempts:
Input sanitization encodes these characters so the browser shows them as harmless text instead of executing them.
Scenario
How does input sanitization stop a stored XSS payload in a comment?
Reveal answer
It encodes the input so the browser displays the script as text instead of running it, so the saved comment cannot execute as code.
Exam tip
XSS runs code in the browser; SQL injection runs commands against the database. Both share the same root cause and the same fix: input sanitization.
Real-world example
Stored XSS in comment fields
Classic stored XSS hides a script in a comment, forum post, or visitor log. Every visitor who loads the page runs it, which is why unsanitized user-generated content is so dangerous.
Sanitize input so the browser shows text, not code.
Key Terms
Cross-site scripting
Injecting code a victim's browser executes.
Reflected XSS
Type I: code in a link the victim clicks.
Stored XSS
Type II: code saved on the site, hitting all visitors.
Input sanitization
Encoding input so it displays as text, not code.
Match It Up
Tap a term, then tap its definition. Correct pairs lock in green.
Term
Definition
All matched. Nice work.
Common Mistakes
!
Confusing XSS with SQL injection
XSS runs code in the browser; SQL injection runs commands against the database.
!
Mixing up reflected and stored
Reflected rides in a clicked link; stored is saved on the site and hits every visitor.
!
Thinking only the clicker is affected
Stored XSS affects everyone who views the page, not just one user.
!
Forgetting the shared fix
Input sanitization defends against both XSS and SQL injection.
Check for Understanding
Predict your answer before you tap. Click a choice to check it and read why.
Question 1
A cross-site scripting attack causes malicious code to run:
B. XSS injects code that the victim's browser executes.
Question 2 Predict first
An attacker stores a script in a site's comment field, and it runs for everyone who views the page. This is:
B. Code saved on the site that affects all visitors is stored (Type II) XSS.
Question 3
Which statements are true? I. XSS runs in the browser. II. Reflected XSS rides in a clicked link. III. XSS targets the database directly.
A. I and II are correct. XSS targets the browser, not the database (that is SQL injection), so III is false.
Question 4 Predict first
Reviewing logs, which input most suggests an attempted XSS attack?
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Choosing a selection results in a full page refresh.
Opens in a new window.
4. The correct popup fires automatically based on the current page URL:
- AP CSP pages -> CSP popup
- AP Cyber pages -> Cybersecurity popup
- All other pages -> AP CSA popup (already live, but improved version here)
Klaviyo API Key: XbXGVC
Klaviyo List ID: UpYKgr (add all to same list for now; tag by course)
============================================================ -->
AP Computer Science A
Free Daily Practice Questions + Exam Tips
Join 134+ AP CSA students getting better scores with daily practice
✓Daily MCQ + FRQ practice delivered free
✓54.5% of Tanner’s students score 5s (national avg: 25.5%)
✓Exam week survival guide — free for subscribers
✓
You’re in!
Check your email for your first practice question.