Intigriti Challenge 0526 Writeup

Well this is a typical XSS challenge, you find an injection point and pop and alert. Pretty straightforward, just have to find that injection point.

This month's challenge is a community feed website with register, login page, Testimonials page where you can post and a profile page where you can edit your profile, that's a bunch of potential injection points to test, surely its one of them. and the footer mentions something called SCA Shield v1.0, is it Side Channel Attack?

Upon inspecting the source, all the page content is generated dynamically using a single app.js script. and innerHTML is heavily used throughout the script to inject content, but surprisingly DOMPurify is only used to sanitize the user comment and not their name?

nameDiv.innerHTML = t.user_name;

Enter fullscreen mode

Well this is a typical XSS challenge, you find an injection point and pop and alert. Pretty straightforward, just have to find that injection point.

nameDiv.innerHTML = t.user_name;

Enter fullscreen mode

Intigriti Challenge 0526 Writeup

Intigriti Challenge 0526 Writeup

Other newsrooms on this story

Related reading

Master XSS the Practical Way: Introducing xss-labs

AI Prompt Injection, Drupal SQLi Exploitation, and Nmap for Hardening

Nginx CVE-2026-9256, AI Prompt Injection Defenses, and Claude AI Data Leak Demo

Drupal: Critical SQL injection flaw now targeted in attacks

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Cookie thieves caught stealing dev secrets via fake Claude Code installers

Other newsrooms on this story

Related reading

Master XSS the Practical Way: Introducing xss-labs

AI Prompt Injection, Drupal SQLi Exploitation, and Nmap for Hardening

Nginx CVE-2026-9256, AI Prompt Injection Defenses, and Claude AI Data Leak Demo

Drupal: Critical SQL injection flaw now targeted in attacks

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Cookie thieves caught stealing dev secrets via fake Claude Code installers