Self XSS or reflected XSS?

You should have been able to execute the script with the last example. At this point, it is considered 'self XSS,' though.

Why is that?

That is because no link triggers that XSS. You can try it yourself to see what happens …​ go to:

Click on the link given on WebGoat and you will see the following:

WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111