In this write-up, we presented and covered cross site scripting vulnerability both
reflected and stored using Mutillidae.
Reflected XSS is the kind of XSS that makes the browser returns an alert or cookie
back to the client. It’s not stored in the website database as Stored XSS is.
Common testing points for reflected XSS are input boxes and contact forms. In the
below figure, we have an input box that accepts a hostname.
and doesn’t get reflected in a pop-up. This means we don’t need to send a crafted
URL to the target to steal their cookies. Whenever the target visits the page in
which we inserted the malicious JS, the payload will get executed each time a user
visits the vulnerable page.