Stored XSS: Often occurs in areas such as information modification or insertion; malicious code is stored in the database and executes whenever a victim accesses the affected page.
Reflected XSS: Commonly appears within URLs. An attacker typically crafts a malicious link in advance and deceives the user into clicking it, thereby triggering the attack code.
DOM-based XSS: The attack code resides in the URL and is subsequently written into a DOM node within the browser. Stored and reflected XSS involve the server, whereas DOM-based XSS is entirely client-side.