This week I was reviewing a security product and discovered a rather serious XSS in their web console. When I highlighted this to the product's technical team, they claimed it was a vulnerability in IIS and not their product. It was rather silly of them to claim that outputting javascript was the fault of the web server. However, it did highlight two interesting facts about XSS' to me: An alert box displaying 'XSS' or unintelligible session details means very little to many people who should know better. You need to have a canned, high-level, explanation about what the dangers of an XSS really are.

A quick an easy demo, which I put here mostly for my own memory, is to just change the window location to point to a machine where you have set up a netcat listener with the session details and url appended to the request. If you want to be stealthy, you can use a hidden iframe.