XSS isn't unique to external web pages.  There is a definite risk with custom built apps internally used.  An easy example is a persistent XSS attack where your users are opening a VisualForce page or component that uses a sobject field in javascript without scrubbing it:
 

<script>
 var poorCode = '{!Case.poor_code__c}';
</script>

If I were able to manipulate that data field in any other place as another user I can create a persistent XSS attack for the next person to open the affected Page/Component by inserting some javascript that breaks out of the containment.  Basic example data in the field that breaks behavior:
 

';alert('whoops

Depending on how clever I get with the amount of text space I have on that field, I could side-load more javascript from a remote host that executes and steals your session Id.  Now I have access to your user's session (there are other controls that can prevent that in Session settings, particularly the session lock settings).

The simple fix to the example is to wrap your variables in VF/components with JSENCODE to scrub (escape) the variable when using it in javascript:
 

<script>
 var saferCode = '{!JSENCODE(Case.poor_code__c)}';
</script>

For a rundown of the different attack vectors I recommend reading up on OWASP (owasp.org) as a resource for developing secure code.  There are various tools for testing like x5s (a plugin to Fiddler HTTP proxy) and static analysis tools like Checkmarx.  The latter is provided free by Salesforce for scanning Salesforce orgs with under 750k lines of code.  For orgs exceeding that you can purchase licenses with Checkmarx directly.  There are a few other tools, but I haven't tried them so I can't speak to them.  If you do your own testing be sure to follow the penetration testing guidelines here (not as bad for XSS only tools, but more thorough penetration testing tools you for sure should follow this process):  https://help.salesforce.com/apex/HTViewSolution?id=000206497&language=en_US

http://security.force.com/security/tools/forcecom/scanner