What is the Difference Between DOM Based XSS and Reflected XSS

The main difference between DOM based XSS and Reflected XSS is that the DOM-based XSS is a type of XSS that processes data from an untrusted source by writing data to a potentially dangerous sink within the DOM. But, the reflected XSS is a type of XSS that occurs when an application obtains data in an HTTP request and includes that data within the immediate response in an unsafe way.

Generally, XSS stands for Cross-Site Scripting, which is a common website attack. It can steal the cookie details of the users of the website. It can also change user settings and display different malware downloads. Moreover, the attacker can also carry out phishing attacks. Generally, the common language to write XSS code is JavaScript. Overall, there are various types of XSS attacks, and two of them are DOM-based XSS and reflected XSS.

Key Areas Covered

1. What is DOM Based XSS
      -Definition, Functionality
2. What is Reflected XSS
     -Definition, Functionality 
3. Difference Between DOM Based XSS and Reflected XSS
    -Comparison of key differences

Key Terms

Cookie, DOM Based XSS, Non-persistent XSS, Reflected XSS, XSS

Difference Between DOM Based XSS and Reflected XSS - Comparison Summary

What is DOM Based XSS

DOM-based XSS is an advanced XSS attack. Here, the web application reads the data from the DOM and output them to the browser. Moreover, if in the case of incorrect handling of data, the attacker can inject a payload to store as a part of DOM.

Difference Between DOM Based XSS and Reflected XSS

Generally, DOM-based XSS attacks are client-side attacks. In these attacks, the malicious payload will not go to the server. Web Application Firewalls (WAF) and security engines find it difficult to detect them because there are no records in the server logs.

What is Reflected XSS

Reflected XSS or Non-persistent XSS is a type of XSS. In this type, the attacker’s payload becomes a part of the request that goes to the webserver. Then, it is reflected back in a way that the HTTP response includes the payload from the HTTP request. The attacker can use malicious links, phishing email, etc. to make the users send requests to the server. Finally, the reflected XSS payload is executed in the user’s browser. As reflected XSS is not a persistent attack, the attacker has to deliver the payload to each victim.

Difference Between DOM Based XSS and Reflected XSS

Definition

DOM-based XSS is an advanced type of XSS that occurs by writing data to the Document Object Model (DOM). But, reflected XSS is the second and the most common type XSS in which the attacker’s payload is a part of the request that is sent to the webserver.

Functionality

While DOM-based XSS occurs by processing data from an untrusted source by writing data to a potentially dangerous sink within the DOM, reflected XSS occurs when an application obtains data in an HTTP request and includes that data within the immediate response in an unsafe way. Thus, this is the main difference between DOM based XSS and reflected XSS.

Complexity

Furthermore, DOM-based XSS attacks are more complex than reflected XSS attacks. Hence, this is another difference between DOM based XSS and reflected XSS.

Conclusion

In brief, two types of XSS attacks are DOM-based XSS and Reflected XSS. The main difference between DOM based XSS and Reflected XSS is their functionality. The DOM-based XSS is a type of XSS that processes data from an untrusted source by writing data to a potentially dangerous sink within the DOM. But, on the other hand, the reflected XSS is a type of XSS occurs when an application obtains data in an HTTP request and includes that data within the immediate response in an unsafe way.

References:

1.“Types of XSS (Cross-Site Scripting).” Acunetix, Available here.

Image Courtesy:

1.”Cross-Site Scripting (XSS)” By Batka savemazaalai – Own work (CC BY-SA 4.0) via Commons Wikimedia

About the Author: Lithmee

Lithmee holds a Bachelor of Science degree in Computer Systems Engineering and is reading for her Master’s degree in Computer Science. She is passionate about sharing her knowldge in the areas of programming, data science, and computer systems.

Leave a Reply