LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the three types of XSS and how do they differ?

Stored = payload saved in the DB and served to everyone; Reflected = payload bounced straight back from the request/URL; DOM-based = payload never reaches the server, handled entirely by client-side JS.

The three XSS types: Stored (saved server-side, served to all), Reflected (bounced off the request), DOM-based (stays in client JS).

* The three XSS types — Stored is saved server-side and served to all; Reflected bounces off the request; DOM-based stays entirely in client-side JS. *

Reflected XSS request/response flow: payload in the URL, echoed into the response, executes on render.

* Reflected XSS flow — the payload rides in the request, is echoed back by the server, and executes when the response renders; it is never stored. *

Type Data Stored Execution Location
Stored XSS (Type I) Server database Server-side or Client-side
Reflected XSS (Type II) Not stored (in URL/request) Server-side or Client-side
DOM-based XSS (Type 0) Client-side only Client-side only

Key distinctions:

  • Stored: Malicious script saved in DB (forums, comments)
  • Reflected: Script in URL, reflected back in response
  • DOM-based: Script manipulates DOM directly, never sent to server

DOM-based XSS is a subset of Client XSS where data source is from the DOM only.

From Quiz: SPRG / Input Validation & Output Encoding | Updated: Jul 14, 2026