steal your cookies for their use....
I would not need to steal cookies. I could just change your pass.
No you couldn't. I've already tried that with a real XSS hole on this site. The only way you'd have a shot of changing the password or actually doing anything of interest would be to:
2. Now that you already have the token and cookies, all you have to do is change your IP. Use something like this (http://stackoverf. . .ip-address) to 'spoof' you're IP (basically just send a one way connection to hbh to change password or do whatever you want).
The first step is really easy but good luck getting the second part to work.