More than stealing cookie and phishing user's private details
After I read this the following, I wondered if I had somehow travelled into the future:
Quote: "A hacker has published code for potent cross-site scripting attacks that he claims go beyond the usual cookie stealing and phishing for users' private details."
Almost one year ago, I published this demonstration on The Exploit Database: http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/ , which also goes beyond cookie stealing and phishing, in fact, it goes so far beyond that it will attempt to inject a PHP shell allowing remote code execution on the target server.
It will even, bypass a few classif Web Application Firewalls and most filters. Why? Because the attacker him- or herself, is not injecting any code directly. Instead, the server is actually requesting the title of the target page he or she is serving, which contains the main XSS payload, which then upon activation, silently injects PHP code using the logged in administrators cookie session and any CSRF tokens it encounters.
That I would say, is going beyond cookie stealing and phishing. If it's just about being persistent, then I'd like to point out as .mario did as well, that there's a technique developed by FortConsult called Site-Wide XSS a couple of years ago, which also goes beyond the classic XSS attack approach.