🚩Intigriti Challenge 0226 — From Blocked Alert to Admin Flag

بِسْمِ اللَّـهِ الرَّحْمَٰنِ الرَّحِيمِ، وَالصَّلَاةُ وَالسَّلَامُ عَلَىٰ الْمَبْعُوثِ رَحْمَةً لِلْعَالَمِينَ ﷺ

This challenge was about exploiting a real XSS vulnerability on the challenge page in order to retrieve the flag. The attack had to work in a normal browser environment and be reproducible with clear payloads and steps.

With that in mind, I started analyzing the application.


I started with a basic test:

The alert did not execute, but when I inspected the page, the script tag was still present in the DOM. the input was not sanitized. The issue was elsewhere.

Checking the console revealed the reason: a Content Security Policy blocking inline scripts with script-src 'self'.

So inline JavaScript was not allowed, but same-origin scripts were.


Finding a Way Around CSP

While exploring the application, I found a JSONP endpoint:

triangle-exclamation

It returned JavaScript in this format:

Because it was served as application/javascript and from the same origin, it was allowed by CSP.

I tested:

This time, the alert executed. That confirmed I had JavaScript execution through callback injection.


Target: The Admin Bot

The admin bot logs in and sets a flag cookie. The cookie is not HttpOnly, meaning JavaScript can read it.

So the goal was simple:

I used the Report to Moderator feature, which triggers the admin bot to visit my post.


The Exfiltration Problem

My first attempts used fetch and Image(). Nothing arrived.

Then I realized the bot closes the browser shortly after loading the page. Some requests may not complete in time.


The Working Solution

I switched to:

This worked immediately.

Since the bot automatically loads the vulnerable preview page with the flag stored in its cookies, my XSS payload executed in the bot’s browser and exfiltrated the flag to my external server.

The incoming request contained:


Why It Worked

navigator.sendBeacon is designed to send data reliably, even during page unload. Unlike fetch, it does not rely on promises finishing before the browser closes.

In a fast-closing bot environment, that reliability made the difference.


Final Chain

Stored XSS → CSP Bypass via JSONP → Admin Bot Visit → Non-HttpOnly Flag Cookie → Reliable Exfiltration via sendBeacon


See you soon! Hope you found this write-up useful. More vulnerabilities coming soon, so stay tuned! Don’t forget to support, share, and follow me on Twitterarrow-up-right. Thanks for reading!

Last updated