Reflected Cross-Site Scripting: Threat Primer
The premise of a Reflected Cross-Site Scripting attack is that certain websites accept user input that they "reflect" back to the user somewhere in their interface/portal. For example, imagine a website that asks for your first name, your job title, or your phone number. Think that input is shown somewhere in the interface, perhaps in an accounts page or somewhere else? It most likely is. And that's not necessarily a problem. But, the problem is a half-step away, if the website's developer was even slightly careless.