3 types of XSS →

Reflected XSS→ iNJECT SOMETHING MALICIOUS AND we get a pop up and its reflected to us its never stored on the server and will be reflected on the page so its on the client side

Stored XSS→This is the opposite of Reflected this will inject malicious payload in the server and even if we leave and come back the payload will still be there.

Dom XSS→ Client Side it basically effects the DOM of the website .

Example of Reflected.



$username = $_GET['username']

echo "Hi $username!";


So in case we run index.php?username=aniket

We get Hi Aniket!

and if we do index.php?username=<script>alert(1)</script>

If we manage to do Stored Xss this will execute everytime someone opens the website like in this case it will make a popup saying 1 to everyone who visits the site.

Reflected and DOM XXS attacks require socila enginerring to work we will need them to click on a link or so and we can get a cookie or something from them we can also do key logging, stealing cookie, ddos attacks etc.

Good Resource on DOM Based XSS → https://www.scip.ch/en/?labs.20171214