XSS tends to get the eyeroll treatment from security pros since
a) it’s everywhere. 2 min of looking for an example on the GOP website, and tada:
b) your 8-year-old kid can find it after about 2 minutes of instruction
c) it doesn’t give you a shell (directly)
But it still works. And it owned apache. http://www.theregister.co.uk/2010/04/13/apache_website_breach_postmortem/ First step to root, and pretty big impact at that. If a target of mine had a sufficiently capable web site, I would prefer XSS over another exploit because it works on any OS, and usually any browser. It doesn’t matter what privilege dropping capabilities the Chrome sandbox uses. It’s reliability isn’t going to change on random ASLR and OS settings. It isn’t going to crash the browser if it fails. Which it won’t. Patch Tuesday isn’t going to fix it either.
Remember your goals, and choose the best exploits for the job.