SETUP: I am the CEO of a regional bank. Our security team wants more resources (money, personnel) to get XSS vulnerabilities out of our online banking portal. I'm not convinced this is a good investment. Even if an malicious transfer gets made, we have extensive logs that will indicate who received the money, and procedures in place for rolling back transactions. We're a smaller, low-profile bank, so we're not an obvious target. The cost seems too high relative to our risk.
TASK: Brainstorm specific attacks that could be launched if an attacker is able to steal a user's session token. Try the perspectives of customers or attackers as you consider the broad consequences of these vulnerabilities.