Exploiting XSS

[Ravi Gopal <ravigopalt () gmail com>]

Dear List,

I'm doing a WAPT for a website and found many XSS issues (both Stored 
and Reflected).
I wanted to do more and show to the customer, apart from normal script  
injection  and  getting it popped up.

Consider that u found an XSS issue in a field and your script is running,

  1. Now what are the further steps for exploiting XSS completely????
  2. How an attacker can really make  use of  it?
  3. How to Compromise ??
  4. What are the real world scenarios can be used

Looking for few good inputs/imlementations/expolits/BooKs ..............

Thanks in advance,

Cheers,
White hat