There is many ways to do this, and almost all sites( at least large sites ) is some kind of vulnerable for XSS.

How to check a site for XSS vulnerability:
* Check all forms, votes, search, contact, etc. On the reply screen see how the data is outputted and check for database connectivity. ( Check how the characthers are manipulated )
* Check all pages where the url takes parameters and values. Check output on the reply screen, check for database connectivity, etc. ( Manipulate the data here to see what happens )
* Check the webserver software, if it is IIS DotNet server check the Viewstate info, this can be manipulated if it is not encrypted, then you can make your own viewstate, which makes the content of the page.

For example you can manipulted a Internet bank's, then make a fake login, which sends the account number and password and wallett to a anonymous mail account that you control.

It takes an hour to set up, use the banks own pages to send you information.
( You copy the real bank login and manipulate it to send the form content to your anonymous set up page, which sends the info to your mail. )