Quiz Entry - updated: 2026.07.14
What are the three types of XSS and how do they differ?
Stored = payload saved in the DB and served to everyone; Reflected = payload bounced straight back from the request/URL; DOM-based = payload never reaches the server, handled entirely by client-side JS.
* The three XSS types — Stored is saved server-side and served to all; Reflected bounces off the request; DOM-based stays entirely in client-side JS. *
* Reflected XSS flow — the payload rides in the request, is echoed back by the server, and executes when the response renders; it is never stored. *
| Type | Data Stored | Execution Location |
|---|---|---|
| Stored XSS (Type I) | Server database | Server-side or Client-side |
| Reflected XSS (Type II) | Not stored (in URL/request) | Server-side or Client-side |
| DOM-based XSS (Type 0) | Client-side only | Client-side only |
Key distinctions:
- Stored: Malicious script saved in DB (forums, comments)
- Reflected: Script in URL, reflected back in response
- DOM-based: Script manipulates DOM directly, never sent to server
DOM-based XSS is a subset of Client XSS where data source is from the DOM only.