you can use these dorks:
You'll likely find reflected xss
inurl:send message or inurl: contact us you'll likely find stored xss
If you want to use em on a site on that you've already found do this:
inurl:search?= intitle: "your target site without quotes"
or if you aren't lazy you could just look for em without dorks now are you wondering how you find where it's vuln to by looking in the source code? Let's start off with the encoding if the encoding isn't as a error result like you would see in the source code "sorry 1&68 come back later" or something like that then trying to input a script wouldn't go through cuz it would be blocked out but if it doesn't do that it would go through meaning they didn't do it right and messed up the code. Now let's start with the "mixed up code" like the p tag not having an error behind it or not having a close tag once you try to input it so when it mess up it would take you to error if you don't see a certain encoding or no error then you could run it so you could put html opening tag with paragraph tag and html closing tag
Once you have found a site that is vulnerable to xss, check all the sites on that same web server (more than likely they will be vulnerable as well.) For example: primeteensex.com is vulnerable and so are all the sites on the same web server. You can use yougetsignal to put in the domain and test the sites that come up.
Different types of xss attacks:
Stored: The malicious script is stored on the server and infects any visitor.
Reflected: The script is included as part of an apparently harmless URL, emailed or sent as search results or error messages to the victim. When the link is clicked, the browser executes the script.
Note: you shouldn't ever have to use a scanner or some type of tool to find xss vulns. Looking manually and at the source code is all it really takes.
Heres a video, ignore the shitty audio