When identifying XSS (Cross-site Scripting) within a target application, I often choose to go beyond a proof-of-concept exploit such as popping an alert box.  I find that the best payloads are those which exploit functionality within the application which require authentication, such as adding a new user when logged in as an administrator.  Other useful…