In reflected and stored XSS, there is something in common, a user or a data source that interacts with the application by inserting a value, which is then read by the application. The third kind of XSS is different.

In a DOM-based XSS, the user sends a crafted URL with the code injected into it. Then, the server processes the information, but in the response, it does not include the injection; instead of it, the user's browser processes the response and the script is executed.

To understand how DOM-based XSS works, it is necessary to explain the DOM concept.

The Document Object Model (DOM) is an interface for HTML and XML documents to modify the document itself in a structured way. The DOM structures a document in a series of nodes and objects, with properties and methods that connect the documents with the programming language, and not just JavaScript, but all types of programming languages.

For example, let's check the next snippet of code:

    <script>
          var url = document.location;
          url = unescape(url);
          var message = url.substring(url.indexOf('message=') + 
                         8, url.length);
          document.write(message);
    </script>
  

The script parses the web page, to extract the value for the message parameter. When the message parameter is found, the script shows it in the web browser. If the value for the message parameter is a malicious string, the script will show the attack to the user in the browser. But, the malicious string never came from the server, or was never processed by the server. It was all processed on the client side, meaning in the web browser using a property contained in the DOM.