Three Flavors of XSS

Stored, reflected, and DOM-based cross-site scripting differ in where the payload lives and whether the server ever sees it. Hover (or tap) any step.

Legitimate flow Attacker-controlled data Script executes in victim's browser

Back to Documentation