Cute RPG where limited parts of the level code itself can be overwritten to solve puzzles (e.g., in one level, changing the behaviour of a door such that opening it does not remove the key from the player's inventory).
Fun game of practical XSS. Some amazing tricks there and I am confident I have left some of these holes open in the past.
For those of us who remember JavaScript as a toy, only used for superfluous "DHTML", it's amazing to see it used as a real language -- capable of running an x86 emulator. If nothing else, people will have to stop pointing at Gmail as an example of an impressive client-side web application.
Open a small floating pane with common accented and special characters.
The Advanced obfuscated JavaScript analysis he links to at SANS is just as impressive/scary.
Incredible: a significant subset of Firebug, also compatible with IE and Opera, in a bookmarklet.