== Reflected XSS scenario

* Attacker sends a malicious URL to the victim
* Victim clicks on the link that loads a malicious web page
* The malicious script embedded in the URL executes in the victim’s browser
** The script steals sensitive information, like the session id, and releases it to the attacker

*Victim does not realize attack occurred*