XSS, but we could do anything that a JavaScript is allowed to do. You can
see the results in the following screenshot:
Once you have successfully injected JavaScript, you will be able to: read out
cookies; open forms that ask the user to enter their passwords or credit
card details; execute viruses, worms and “drive-by downloads”; the lot. The
reason is that JavaScript is not bound by any security model; any script on
the page has the same rights, no matter which server it has come from. This
is a big security problem with JavaScript and is something clever people are
working on.
XSS is a very common problem. Websites such as XSSED.org have a field
day showing the world just how many websites are vulnerable: