How can I find the available input points?

This is not an article about technology, but an attempt of open thinking. It mainly focuses on how to find available input points when filtering input.

In essence, to perform xss attacks, you only need to find an unfiltered Input Point. The input data can be parsed in the software supporting scripts (not limited to browsers. Sqli is similar. The input point is not just a form on the webpage. As long as you discover it, the input point is everywhere. I would like to introduce some valuable ideas and share your ideas.

User agent field

Not only the useragent field, but also other fields in the header. For example, change useragent

"<script>window.location = "http://www.freebuf.com/"</script>"

Many log analysis tools generate reports in html format. If this field does not have proper filtering encoding, It is output in html. When the Administrator views the field, the inserted js is executed. Splunk once experienced an xss vulnerability because the referer field is not filtered.

SSIDs

This is just a hypothetical attack method. SSIDs can contain 32 characters or even non-printable ASCII characters, and the SSID may appear in some logs that record wi-fi connection records.

Event Log

Many people use third-party log viewing tools to analyze logs. If we use

<script>alert("XSS");</script>

Log on as the user name. logs are recorded in logs after logon fails. If a third-party tool does not properly filter encoding strings, the Administrator may be vulnerable to xss attacks when viewing html reports generated by the tool.

Computer Name and description

I have practiced this scenario in Softperfect's NetScan. Insert xss code here when the Penetration Tester checks the scan report .....

Application name and metadata

Some management software will list the software information installed on the computer, if it is implemented in html...

Banners

Most network scanners can recognize banner and output multiple formats, such as html and xml.