Há (pelo menos) 3 tipos:
1. XSS Reflectido:

2. XSS Armazenado

3. XSS baseado em DOM
• An HTML or XML page is represented by a DOM object (Document Object Model, W3C)
• HTML can contain references to attributes of that object, which are interpreted in the browser: F document.URL, document.location, document.referer,…
• Vulnerability: site with HTML page with JS script that does client-side logic with document.URL or another attribute