Post cover image

June 13, 2026

Reflected XSS Made Stupidly Simple

Hey everyone! Nitin here ⚡

Nitin yadav

1 min read

XSS is the most reported bug in all of bug bounty. The MOST. So if you learn it well, you'll always have something to hunt. Let's start with the easiest flavor: reflected XSS.

What Is XSS In Plain English?

XSS = Cross-Site Scripting. Fancy name, simple idea: you trick a website into running YOUR code in someone else's browser.

Normally a website only runs its own code. But if it's careless about what it shows back to users, you can sneak in a little JavaScript, and the browser runs it like it belongs there. That's XSS.

What Makes It "Reflected"?

Reflected XSS is when the website takes something from YOUR request and immediately shows it back to you — without cleaning it up.

Classic example: a search box.

You search for hello. The page says: "You searched for: hello"

See how it reflected your input right back? Now what if you search for this instead:

<script>alert(1)</script>

If a popup box appears saying "1"… the site just ran YOUR code. That's reflected XSS. 🎉

The alert(1) is just a harmless proof. It says "hey, my code ran here." That's all you need to demonstrate the bug ethically.

Where To Find It

Look for anywhere your input gets shown back on the page:

  • Search boxes
  • Error messages ("Page xyz not found")
  • URL parameters that appear on screen
  • "Sorry, [your text] is invalid" type messages
  • Anything that echoes what you typed
None

How To Hunt It Step By Step

  1. Find a spot that reflects your input back
  2. Type a unique test string like xss7391
  3. View the page source — find where xss7391 landed
  4. Now figure out: can you "break out" and inject HTML/JS there?
  5. Try payloads like <script>alert(1)</script> or "><img src=x onerror=alert(1)>
  6. If your code runs → bug found ✅

Why It Matters

"It's just a popup, who cares?" Wrong. With XSS an attacker can steal session cookies, hijack accounts, redirect users to phishing pages, or perform actions as the victim. The popup is just the proof — the real impact is account takeover.

My Honest Tip

Don't just throw <script>alert(1)</script> everywhere and give up when it doesn't work. Modern sites filter input. The fun is in the BYPASS — figuring out what they forgot to block. Try different tags, event handlers, encodings. The hunters who win are the ones who get creative when the basic payload fails.

Next post: stored XSS — the more dangerous cousin that hits OTHER people too.

Stay sharp! ⚡