Well... I just dont understand how an attacker that is injecting and running JavaScript code on my site can be harmful in any way.
With SQL injection, sure. He can get all the Database data and he will actually accomplish something.
But with JavaScript... I dont quite see how it works.
Here is a decent whitepaper I found while surfing Google. This is a decent PDF, giving a preview and a look at a nice vulnerability assessment framework, as well as some references for further reading. As with anything, with great power comes great responsibility. Learn, apply your knowledge, have fun, and above all, keep it legal!