CREST Practitioner Security Analyst (CPSA) Practice 2025 - Free CPSA Practice Questions and Study Guide

The type of XSS characterized by not storing the attacker's script in the backend is reflected XSS. In this attack vector, the malicious script is embedded in a link that is sent to the victim, often through an email or a message. When the victim clicks the link, the script is executed immediately as part of the response from the server, but it is not saved on the server or in the application’s database.

This immediacy is what distinguishes reflected XSS from other types like stored XSS, where the malicious payload is saved in the application's storage and can affect any user who retrieves or invokes the malicious content later. The transient nature of reflected XSS means that the attack relies on tricking the user into clicking a link or navigating to a specific URL, rather than relying on the persistence of the script in the system. Understanding this distinction is crucial for recognizing how attacks can be conducted and mitigated in web security.