Cross-Site Scripting (XSS) remains one of the most impactful yet overlooked vulnerabilities. Among its three primary forms — Reflected, Stored, and DOM-based — Reflected XSS is often the easiest to find but still capable of causing serious damage when exploited correctly.

In this write-up, we’ll break down what Reflected XSS is, how to identify it during recon, and then walk through a real-world bug report on MTN Group’s website that exposed a critical Reflected XSS via a simple payload — proving that low-hanging fruits still exist.

What is Reflected XSS?

Reflected Cross-Site Scripting occurs when user-supplied input is immediately echoed by the application in an HTTP response — without proper encoding or sanitization. This often happens in:

• URL parameters (GET requests)
• Search fields
• Login or message forms
• Redirect URLs

Unlike stored XSS, where payloads persist in the backend, reflected XSS executes immediately in the browser once the crafted link is visited.