During a web application pentest, you discover that user input is reflected in an HTML page without sanitization.Which attack type should you attempt first?