Publicaram inclusive um "Top 4":
- Place 1 goes to: cia.gov
- Place 2 goes to: gmao.gsfc.nasa.gov
- Place 3 goes to: cdmrp.army.mil
- Place 4 goes to: www.onr.navy.mil
"All shown vulnerabilities can be found by using the corresponding web site in a legal way. All links are published for educational purposes only and not to harm anything or anybody. All used techniques are well known for many years and can be considered state-of-the-art. Though it is obvious, that the shown vulnerabilities can be used for fraudulent purpose anonymously."
Para detalhes técnicos sobre XSS, sugiro o tópico na OWASP e o FAQ da CgiSecurity.