Most folks know that cross-site scripting (XSS) bugs can be used to steal logon cookies, as this scenario is touted pretty often as a classic XSS exploit.  How about an read-only site without requiring any logons, such as dictionary sites or some news sites?  Since there are no logon tokens, cookies at most may contain user preferences.  Are those sites immune to XSS?

Unfortunately, XSS bugs can be used to let phishers use XSS bug as a redirect to a phish site.

Let's assume that<script>alert()</script> contains a XSS bug on the parameter named w, and allows any Javascript to be run.  I can send you a link on that redirects to any sites by setting window.location in Javascript.  The link would be<script>window.location=""</script>.   Once clicked on, the link will redirect traffic to

A phisher would use a vulnerable well-known site, hide window.location script snippet by obsfucation, and redirects to a phishing site.  When a user examins URL, it would legitimately point to the well-known site.  Not all users would examine the rest if it is obfuscated well.  When the user clicks on the link pointing to a well-known site, the users just gets "phished".

Now that you understand XSS can also be used as a stepping stone for a phisher, you should guard against XSS in all situations.  In order to prevent XSS, please read for general strategy.  In addition, ACE Team also publishes free anti-XSS library to help you mitigate XSS.