Intigriti Challenge 0526 Writeup

This article summarizes a writeup for Intigriti Challenge 0526, a cross-site scripting (XSS) challenge on a community feed website. The author discovered an injection point in the user name field, but a server-side filter called "SCA Shield" blocked common XSS characters and tags. The solution involved bypassing the filter using a CSS keyframes payload with base64-encoded functions and character hex codes, though the author notes this was an unintended solution.

Well this is a typical XSS challenge, you find an injection point and pop and alert. Pretty straightforward, just have to find that injection point. This month's challenge is a community feed website with register, login page, Testimonials page where you can post and a profile page where you can edit your profile, that's a bunch of potential injection points to test, surely its one of them. and the footer mentions something called SCA Shield v1.0 , is it Side Channel Attack? Upon inspecting the source, all the page content is generated dynamically using a single app.js script. and innerHTML is heavily used throughout the script to inject content, but surprisingly DOMPurify is only used to sanitize the user comment and not their name? nameDiv.innerHTML = t.user name; I thought its the moment, we found an injection point, went and changed name to a typical XSS script and... it didn't work, its the same SCA Shield which was mentioned in the footer, which is preventing us, its a server side check. we get a message SCA Shield: Malicious characters detected Quotes, parenthesis, dots, commas, and semicolons are strictly forbidden. and this when using script tags SCA Shield: Malicious payload signature detected Well, at least now we have a list of things to remove from our payload and it should just work. it seems it only detects few tags like script and other related words. tags like style, svg just work fine. I had read about this XSS payload using CSS keyframes, so I thought to give it a try. and it worked. After a bit of back and forth, I came across this <style @keyframes x{}</style <b style=animation-name:x onanimationstart=window atob YWxlcnQ= pwned window is blocked, so we use top which points to topmost frame, and in a normal page, its the page itself alert is blocked, we just base64 it lol, atob isn't blocked and tagged literals instead of quotes and it works 🎉 now for the origin version for domain check, we need to due few modifications. I released we can just use character hex code equivalents to mask the words since it does exact match, we can use parenthesis now replacing a with its equivalent \x61 , to \x28 and to \x29 we have the following: <style @keyframes x{}</style <b style=animation-name:x onanimationstart=Function\\x61lert\x28origin\x29\ and there you go, we're done I submitted it to Intigriti, and they told it was an unintended solution. while i haven't yet gone to an intended solution, i feel its something related to the PixelAnalyticsConfig residing in the app.js and seeing their first hint makes it more probable, but haven't yet explored it.