Because XSS (Cross-site Scripting) uses a hacked web site as a delivery mechanism to a web browser it is important to understand not only how a payload enters the web site but how and where the web site executes the payload for the visitor’s browser. Without a clear knowledge of where possibly malicious user-supplied data may appear, a web site may have poor security or an incomplete understanding of the impact of a successful exploit.
Different names have been ascribed to the kind of reflection, from the unimaginative Type I, II, and III, to reflected type, persistent (stored), and higher order. These naming conventions have tried to capture two important aspects of a hack:
– Location—Where the payload arrives, such as the immediate HTTP response, a different page that was requested, or a different site (or application!) completely.
– Duration—How long the payload appears, whether it hide if the page is refreshed or sticks around until cleaned out by the site’s administrators.
The differences of location and duration can also be thought of as the statefulness of the injection. A stateless injection doesn’t last beyond a single response. A stateful injection will appear on subsequent visits to the hacked page.
Ephemeral HTML injection, also identified as Reflected or Type I Cross-site Scripting, happens when the payload is injected and observed in a single HTTP request/response pair.
Persistent HTML injection flaws, also identified as Type II Cross-site Scripting, remain on the website longer than the immediate response to the request that injected the payload.