A wifi name rooting your router. A TLS certificate field taking over hosting accounts. A DNS response taking down a European network. Not your everyday injection vector, and easy to miss in security review. I spent the past year putting injection payloads into every protocol field I can control as an infrastructure operator: TLS certificates, DNS responses, HTTP headers, SSIDs, routing registries, and more. The impact ranges from amusing, to hosting account takeover, to rooting OpenWrt routers wirelessly, to taking down European networks through a single link. My payloads are textbook XSS. Their locations and the escalations are not. The common thread is misplaced trust: protocol data is trusted because of where it comes from. When that data reaches a tool that renders it in a browser and shares a trust boundary with something sensitive, the impact escalates fast. This talk covers interesting findings and the structural pattern behind them.
