This is a talk/group exercise on Cross-Site Scripting (XSS). One of the most popular OWASP Top Ten Web Vulnerabilities, XSS is most commonly demonstrated with a simple 'alert' box. However, if executed properly, it can lead to near-total control of a web application. This talk demonstrates the most common XSS attack vectors and discusses payloads that go beyond the Proof of Concept and lead to real compromise.