A detailed writeup of the Intigriti April 2026 XSS challenge, explaining how four individually harmless bugs are chained to achieve JavaScript execution and cookie theft. The chain involves: an unauthenticated preferences API that stores arbitrary JSON manifests, a percent-encoded path traversal that bypasses a server-side filter and injects a malicious panel value into __APP_INIT__, an unencoded panel value used in a fetch URL that the browser normalizes to hit the attacker's preset endpoint, and a postSanitize regex bypass using string concatenation to split blocked keywords like 'alert' and 'document'. Together these allow loading a malicious DOMPurify config that enables a script execution sink via data-cfg attributes, ultimately leaking the reviewer bot's cookie.
Sort: