Cross-site scripting (XSS) exploits the browser’s trust in the website, loading content and scripts that could be malicious. It’s somewhat of a misnomer, it should be named something like JavaScript injection or HTML injection, doesn’t have to be “cross-site” as the resources can be loaded from the current site.
Stored and reflected payloads
There are two types of XSS payloads, stored and reflected, with their primary difference being their persistence mechanism. Stored XSS payloads are stored within the server, on its database or in its web application files. Stored XSS payloads can be server to any user because they are provided by the website via regular traversal.
Reflected XSS payloads are provided to victims via crafted links to malicious web servers hosting the payload, or malicious redirects from the original site.
Server and client XSS
Server and client XSS payloads refer to where in the transaction between the client and the server the payload lands. With server XSS payloads, the payload is appended to the HTML response provided to client - it can still be stored or reflected.
For client XSS payloads, the payload is being executed within the user’s browser, either being delivered by the website in a JavaScript file for execution or being retrieved by the JavaScript executing within the user’s browser.
Mitigation
Some mitigations enforced by servers and browsers are discussed here:
XSS resources
Some solid resources for XSS: