"Vulnerability for XSS is coming from unprotected and not sanitized user inputs those are directly stored in database and displayed to other users."
This is only about the third of the truth. What you wrote about is stored XSS, but there are other types of XSS vulnerabilities, such as reflected XSS and DOM based XSS.
Storing the user's input in a database on the server-side is not mandatory, in fact, it's not even necessary to send any data from the client to the server to be able to speak about XSS.
In case of reflected XSS, the malicious script is encoded in the URL, the attacker broadcasts it, the unaware folks click on it and boom. Here is an example from Shopify.
A DOM based XSS attack will not even necessary send any data to the server. Again, the script can be encoded in the URL, after a fragment identifier (#).
The attacker sends the link who clicks on it, the browser changes the DOM after the page was already loaded and then the JS code executes. As the malicious part never touches the server, this type of attack requires different protection which is based on the client-side completely.
Thanks for the nice explanation.
I just want to add a remark.
This is only about the third of the truth. What you wrote about is stored XSS, but there are other types of XSS vulnerabilities, such as reflected XSS and DOM based XSS.
Storing the user's input in a database on the server-side is not mandatory, in fact, it's not even necessary to send any data from the client to the server to be able to speak about XSS.
In case of reflected XSS, the malicious script is encoded in the URL, the attacker broadcasts it, the unaware folks click on it and boom. Here is an example from Shopify.
A DOM based XSS attack will not even necessary send any data to the server. Again, the script can be encoded in the URL, after a fragment identifier (#).
The attacker sends the link who clicks on it, the browser changes the DOM after the page was already loaded and then the JS code executes. As the malicious part never touches the server, this type of attack requires different protection which is based on the client-side completely.
Here is a more thorough explanation.
Hello Sandor,
Thanks for pointing out on skipped XSS vulnerabilities! I will update article in next few days.