It truly surprises me that even after seeing loads of security holes in most of the famous web sites (I am looking at you, Twitter), how we neglect the importance of testing for these bugs.
It's simple folks. Very simple. It's no rocket science.
You got a text field in your web site? Simply try something like '< body onload="alert('hi')">' and submit.
Did you get a nice pop up ? You've got yourself a bug to fix.
Nothing frustrates me more than seeing a testing team spending loads of time writing test cases, documenting them and writing meaningless automated scripts, while they could spend few minutes of their time to find these kind of important bugs.
Look at the list of well known sites that have XSS holes : http://www.reddit.com/r/xss/top/?t=year
