{"slug": "intigriti-challenge-0526-writeup", "title": "Intigriti Challenge 0526 Writeup", "summary": "This article summarizes a writeup for Intigriti Challenge 0526, a cross-site scripting (XSS) challenge on a community feed website. The author discovered an injection point in the user name field, but a server-side filter called \"SCA Shield\" blocked common XSS characters and tags. The solution involved bypassing the filter using a CSS keyframes payload with base64-encoded functions and character hex codes, though the author notes this was an unintended solution.", "body_md": "Well this is a typical XSS challenge, you find an injection point and pop and alert. Pretty straightforward, just have to find that injection point.\nThis month's challenge is a community feed website with register, login page, Testimonials page where you can post and a profile page where you can edit your profile, that's a bunch of potential injection points to test, surely its one of them. and the footer mentions something called SCA Shield v1.0\n, is it Side Channel Attack?\nUpon inspecting the source, all the page content is generated dynamically using a single app.js\nscript. and innerHTML\nis heavily used throughout the script to inject content, but surprisingly DOMPurify\nis only used to sanitize the user comment and not their name?\nnameDiv.innerHTML = t.user_name;\nI thought its the moment, we found an injection point, went and changed name to a typical XSS script and... it didn't work, its the same SCA Shield\nwhich was mentioned in the footer, which is preventing us, its a server side check.\nwe get a message\nSCA Shield: Malicious characters detected! Quotes, parenthesis, dots, commas, and semicolons are strictly forbidden.\nand this when using script tags\nSCA Shield: Malicious payload signature detected!\nWell, at least now we have a list of things to remove from our payload and it should just work. it seems it only detects few tags like script and other related words. tags like style, svg just work fine.\nI had read about this XSS payload using CSS keyframes, so I thought to give it a try. and it worked.\nAfter a bit of back and forth, I came across this\n<style>@keyframes x{}</style><b style=animation-name:x onanimationstart=window[atob`YWxlcnQ=`]` pwned`>\nwindow\nis blocked, so we use top\nwhich points to topmost frame, and in a normal page, its the page itself\nalert\nis blocked, we just base64 it lol, atob\nisn't blocked\nand tagged literals instead of quotes\nand it works! 🎉\nnow for the origin version for domain check, we need to due few modifications.\nI released we can just use character hex code equivalents to mask the words since it does exact match, we can use parenthesis now!\nreplacing a\nwith its equivalent \\x61\n, (\nto \\x28\nand )\nto \\x29\nwe have the following:\n<style>@keyframes x{}</style><b style=animation-name:x onanimationstart=Function\\\\x61lert\\x28origin\\x29\\```>\nand there you go, we're done!\nI submitted it to Intigriti, and they told it was an unintended solution. while i haven't yet gone to an intended solution, i feel its something related to the PixelAnalyticsConfig\nresiding in the app.js\nand seeing their first hint makes it more probable, but haven't yet explored it.", "url": "https://wpnews.pro/news/intigriti-challenge-0526-writeup", "canonical_source": "https://dev.to/arnavkr/intigriti-challenge-0526-writeup-3f74", "published_at": "2026-05-23 12:37:31+00:00", "updated_at": "2026-05-23 13:04:28.371373+00:00", "lang": "en", "topics": ["cybersecurity"], "entities": ["Intigriti", "SCA Shield", "DOMPurify"], "alternates": {"html": "https://wpnews.pro/news/intigriti-challenge-0526-writeup", "markdown": "https://wpnews.pro/news/intigriti-challenge-0526-writeup.md", "text": "https://wpnews.pro/news/intigriti-challenge-0526-writeup.txt", "jsonld": "https://wpnews.pro/news/intigriti-challenge-0526-writeup.jsonld"}}