My understanding of XSS attacks focused on people entering malicious input via forms (persistant XSS attack).
However I'm trying to understand non persistant. Is this as an example (obviously the alert could be substituted for something more sinister...)
http://localhost/MyProject/action.do?Title=<script>alert('XSS');</script>
It's definitely a vulnerability, if nothing else, you can send the link with XSS code like this to someone.
Yes, pretty much, consider if you have logged in, those script can also access your cookies and could send it to everywhere.
One problem with that link, though, is <tags> typically aren't allowed in URLs without URL encoding them first. So mailing that link around or posting it wouldn't do you much good.
The more realistic URL encoded form of it would be ..
http://localhost/MyProject/action.do?Title=%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E%
After clicking on this URL, the destination web server would unescape the Title value and if ...
<script>alert('XSS');</script>
... is written as-is without being HTML escaped to the page, that's absolutely XSS.
I don't have the reputation to comment on Jeff Atwood's answer, so I will disagree with it here. A link like that could certainly be mailed around and used to exploit sites that are vulnerable to reflected XSS. I tested it with Gmail and a site over which I have control.
Perhaps encoding was being done in the background, but regardless, I was able to type in the link, email it, and then click the link and have the exploit work. Additionally, in every browser I tried I was able to directly type in the payload without encoding and have the script fire.
So yes, that code is "valid XSS" and if your site triggers that javascript then your site is vulnerable to a reflected XSS attack.