Firefox Demo: Password stealing
Firefox, if allowed, can store usernames and passwords. If you visit a login page again, the password is then entered automatically. But this means, that a second, evil page on the same server could steal those saved passwords.
Enter a fictional username and password in the dialog boxes below, submit and allow Firefox to save them. Do not enter real passwords.
Now open this "evil" page. It will read your username and password and display them in an alert message. It could have sent them anywhere and the output of the evil page could be hidden.
There has been some discussion, if this really is a vulnerability in Firefox. Because if an attacker can place script code on a server, he has other means to steal passwords. For details see Holes in Firefox password manager.