I’m really behind in email so this is a few days old, but Michael Sutton wrote up an interesting post about the rate of vulnerability for a few simple search terms. He found that around 17.3% of the sites he checked for were vulnerable to XSS on the exact page that the search engine sent him to (when querying for things like inurl:"search=xxx" intext:"search results for xxx").
Of course that’s not actually the number of vulnerable sites, that’s just what he was able to find at that given URL on those sites. The statistic may also be slightly misleading because it depends on the search term given. Obviously there are other Google dorks that could have proved to be 100% or 0% depending on how they are constructed. But still, it’s interesting, and certainly a valid way to identify large scale swaths of vulnerable sites.
Writing automated scanners to pick up huge chunks of vulnerable sites is incredibly easy if you are uninterested in targeted attacks or are more of a opportunistic exploiter. But providing a JSON interface to a search API could also help in cross domain XSS virus propagation as well.