3

I am confused about the difference regarding these two. If possible please use examples and payloads to explain the difference.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Hardik Singh Negi
  • 31
  • 1
  • 2
  • 2
    What *do* you know about the difference? It will help us not repeat what you already understand. – schroeder Jan 29 '17 at 10:41
  • Have you searched here and read: http://security.stackexchange.com/questions/65142/what-is-reflected-xss?rq=1 – schroeder Jan 29 '17 at 10:42

2 Answers2

4

The self xss is basically social engineering where attacker convinces user to paste code into browser and execute it. example:-I may ask you to paste a malicious JavaScript code into your browser URL bar which will give you logs about surfing data and look for such random tit-bits from which you will understand the difference between self xss and reflected xss with those logs.you may complain after trying that no results are found,but too late to complain.what I'm actually doing is, hacking your machine,masquerading the procedure to look like your help.

while reflected xss is browser executable within single HTTP response onto victims browser. They are activated through clicking a malicious link. Refer details,simple diagrams and example from this nice article(I haven't read it entirely but looks good enough to satisfy the thirst for information):- https://www.incapsula.com/web-application-security/reflected-xss-attacks.html

Arpit Rohela
  • 573
  • 2
  • 12
0

In both cases, some malicious script is injected in request data and is reflected back to the client's browser.

For Reflected XSS, successful exploitation depends on a single HTTP request (GET or POST) which when replayed from the victim's browser (with help of some social engineering), results in script injection.

In some cases this may not be possible. Some of the potential reasons for this are:

  • Presence of a CSRF token
  • The request with malicious data depends on other previous requests to be successful or has some other pre-requisites.
  • The response type for the affected HTTP request is text/json. In this case there would be no script injection if the request is sent on its own because the response is not HTML.

In these cases, a successful script injection may be achieved while performing a test from the browser where CSRF token is taken care of, all the pre-requisites are met and the text/json response is processed by some other page which mishandles the JSON data.

However, it is not possible to develop an exploit that would work on a target machine once the user clicks on a single link. For these reasons, such cases are often termed as "Self XSS". Self XSS would generally be assigned a Low or Informational severity rating due to lack of exploitability.

Shurmajee
  • 7,285
  • 5
  • 27
  • 59