Testing for XSS vulnerabilities when URl contains hidden fields -

i checking xss vulnerabilities portal. examples found on internet says that, if have url

http://www.yoursite.com/index.html?name=george 

try encoding

http://www.yoursite.com/index.html?name=<script>alert('you found xss vulnerability')</script> 

and if find alert , show portal xss vulnerable. question url doesn't contains variable , using hidden fields url looks

http://[myip]:8080/appshop-v1/appstoreregistration.html 

and doesn't changes on post or operation .how can insert script in such scenario , check vulnerabilities.

the basic safety tells should not trust input coming user , can use tools fiddler , manipulate hidden field value also. if using value output on portal name etc...do html encode before outputting it. xss not limited querystring , can coming user. advisable should not store sensitive information in hidden field because end user can see , change .