[unknownAttacker]

XSS is easier, SQLi is more powerful. none of those are my faves though. I love arbitrary uploads and misconfigurations and when I'm bored I like to get oldschool and try to exploit software (not webapps obviously) with buffer overflows (that's pretty damn hard, but it's great for learning more in-depth stuff about how your computer's memory and processor work).

[1llusion]

XSS is easier, SQLi is more powerful. none of those are my faves though. I love arbitrary uploads and misconfigurations and when I'm bored I like to get oldschool and try to exploit software (not webapps obviously) with buffer overflows (that's pretty damn hard, but it's great for learning more in-depth stuff about how your computer's memory and processor work).

XSS easier than SQLi? I challenge you to pass my XSS challenge! http://www.hackcommunity.com/Thread-Hack...-challenge

XSS is not easier. In some cases it can be even more difficult because:
=> There are a lot more things to filter
=> There are not so many things you can hide
=> Browser compatability

In SQL injections, you don't need to get into any <script> tags or whatever. You already are in a script, so all you have to do is find a way through WAF and IDS which is kinda simple. The downside of SQLi is, that you can't see exactly how your code is handled tho...

[KoKoKrants]

I agree with 1llusion. I find XSS more fun than SQLi and its more challenging. I once read a post stating "Only fool says that you can do nothing with XSS" i think XSS has more capabality than SQLi well atleast IMO.