XSS, Command and SQL Injection vectors: Beyond the Form

Active Directory

        Not to beat a dead horse, but what about all of the fields you can fill out on an Active Directory or LDAP object? Now that I think about it, maybe it's time for me to update my ADS Reaper tool.

Application Names and Metadata        Got an asset tracker that lists the software installed on a machine to a lovely HTML report? Does the assets tracking software look at the metadata in files? That could be another possible vector.

Banners

        Is your custom scanning software logging the banners it sees on open ports? What if the banner has a little malicious XSS?

Conclusion

        Granted, many of these possible attack vectors are hypothetical, and depend on reporting tools not sanitizing data. Still, I hope this short article makes the wheels in your head start grinding away at new way of thinking when it comes to injection attacks. For more ways to mangle XSS to get it past filters, check out RSnake's excellent cheat sheet:
http://ha.ckers.org/xss.html