During last webapp pentest I was asked to prepare some scenario of possible XSS exploitation. I decided to use an old technique (see Grossmann and RSnake ;)) related to "portscan in JS". My change was that I decided to check for local resources, not for open ports. Results below:
If you will use (as your XSS payload) something like:
or you will just put the code in vulnerable form, you should be able to enumerate resources on remote host. You can of course extend this more and more... but I will let you do it as a homework ;)
Code is also available at my github.