# XSS
Normally, XSS is divided into 3 main categories: stored, reflected and DOM based.
## Stored XSS
**Stored XSS** is the most common and simple type of XSS. The payload used for this method is saved into the server's database, then affect client browsers that requested this part of data afterwards.
Normally, this kind of XSS can be found in webpages containing user-generated contents without proper user data' sanitization, such as forums, blogs,...
Since the trace of the attack is persistive, it can easily be spotted and blocked.
## Refected XSS
**Reflected XSS** is, on the other hand, not saved in the database but utilized the responsiveness of the webpage to attack. The payload used are the input provided by the user but not stored in the database, such as search query, optional value for alert / error messages, ... without being properly sanitized.
One thing to notice is that, even though the data is not persisted, attack payload is still sent to the server, then can be logged and traced.
## DOM based XSS
**DOM based XSS** is quite similar to **Reflected XSS** with the main difference is that the payload is never sent to the server, so it utilizes the rendering function from the front end, not from the back end.
For example, the payload can be appended into the url parameters that are used by the client to render without proper sanitization.
Since the attack only takes place in the client, it's hard to trace out this type of exploit.
## References
[https://owasp.org/www-community/Types_of_Cross-Site_Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting)
Sign in with Wallet
Connect another wallet