# Week 6 - XSS Types

## Types of Cross Site Scripting

I have a little something to make your day better: a summary of the types of Cross-Site Scripting!\
 \
**Reflected XSS:**\
Occurs when an attacker can inject JavaScript code into the GET/POST parameters of an HTTP Request, which will then be rendered (by the server) within the page’s source code. To use this maliciously an attacker must trick a user into running the specific payload within the vulnerable parameter (Example: localhost/index.php?vulnerable=”>\<script>alert(1)\</script>)\
\
**Stored XSS:**\
When an attacker’s JavaScript payload is stored within the server or database (Example: submitting a comment on an Amazon product). Then, when this payload is called by the server and placed on the page, it executes as JavaScript. This is the most severe form of [#XSS](https://www.linkedin.com/feed/hashtag/?keywords=xss\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6899007974216396800), since the payload will run every time the page is loaded, meaning an attacker will not have to trick a user into loading a specific request with the vulnerable parameter. The server takes care of it for us.\
\
**DOM-Based XSS:**\
Occurs when an attacker’s JavaScript payload never reaches the server and is instead included within an application’s source code by existing JavaScript on the page. Usually, vulnerable JavaScript within a website will pull our payload from a GET parameter or hash (localhost/index.php#this-is-a-hash) and place it directly onto the Document Object Model, where it is then executed.\
\
**Self XSS:**\
A user is tricked into copying and pasting the attacker’s payload into their browser’s developer console. This is commonly used by scammers and requires an unknowing user’s full compliance.\
&#x20;

![SRC: https://www.researchgate.net/figure/Example-code-and-XSS-attacks\_tbl1\_232644887](/files/MOXkXZL8vFGgSbUtyAnu)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/weekly-tips/week-6-xss-types.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.