** A falha de XSS pode ser presente em qualquer entrada de dado que reflete na plataforma.
Pode inclusive no nome de um usuário ter o valor <script>alert(1)</script> e rodar (stored).
O XSS pode estar por toda parte (literalmente).

Lab XSS Reflected: https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded

XSS Challenges: https://xss-quiz.int21h.jp/

prompt(1) to win: https://prompt.ml/0

Cheat Sheet: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

KXSS: https://github.com/Emoe/kxss

Lab Stored: https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encoded