When i came to know about the Cross Site Script (CSS) attack long time back, i thought how good an attack can it be, if the script is running in a client browser and that too in a controlled execution environment provided by many modern browsers.
I found that someone can inject a script to refresh the page in some shorter interval of time and can effectively bring down the web server with lot of load from just a fraction of legitimate users.
DOS. My intial (illiterate) assumption was some hacker has to control a large no. of zombie clients to use this techinique, that was totally busted with a simple CSS.
A lesson to all those who believe world is so NICE!!!