I was just reading RSnake's post on Attacking Applications Via XSS Proxies. We've toyed around with different XSS exploitation ideas for a long while, but having seen it written out, its spooky. Essentially RSnake describes how someone could hack a website, using an XSS'ed victim, with the bonus that the attackers IP never shows up in the target machines logs. The explanation is a bit complicated, the XSS proxy attack diagram makes it easier, but once it clicks you'll see how plausible and easy the idea becomes.
Another side effect of the research applies to cyber crime (hacking) cases. I've read that court have found reasonable doubt for the accused where the arguement is a trojan-horse on their machine did the hacking. Not them. The forensic investigators certianly can't rule out the possibility, because hey, the machine did have a trojan and could have done exactly that. The thing is XSS malware is able act similarly to an typical trojan horse, the main difference is the code resides in the web browser, and not present on the filesystem or memory.
What if a person wanted to frame someone using an XSS attack? For instance making their victim hack another website (ala Rsnake), DoS some government websites, or access some pedophilia. Every log in the world would say the victim did exactly that and leaves very little if any forensic evidence. Trojan defense goes out the door, for the innocent and the guilty, especially since I doubt forensic investigators are looking for XSS malware to begin with.