Reflected XSS
Payload in URL or form is immediately reflected in the response. Victim clicks a crafted link. Example: search box displays unescaped query parameter.
Stored XSS
Payload saved in database (comment, profile bio) and served to every visitor. Higher impact — one injection affects all users.
DOM-based XSS
JavaScript on the page reads attacker-controlled input (location.hash, postMessage) and writes it to DOM via innerHTML without sanitization.
Impact and mitigation
Impact: session theft, keylogging, phishing overlays. Mitigation: output encoding, Content-Security-Policy, HttpOnly cookies, input validation.