惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Latest
Security Latest
U
Unit 42
D
Docker
H
Help Net Security
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Microsoft Azure Blog
Microsoft Azure Blog
C
Cisco Blogs
阮一峰的网络日志
阮一峰的网络日志
S
Schneier on Security
Project Zero
Project Zero
F
Future of Privacy Forum
V
Vulnerabilities – Threatpost
Recent Announcements
Recent Announcements
T
Threatpost
T
True Tiger Recordings
量子位
The Hacker News
The Hacker News
Stack Overflow Blog
Stack Overflow Blog
Recorded Future
Recorded Future
T
The Blog of Author Tim Ferriss
S
SegmentFault 最新的问题
A
Arctic Wolf
Martin Fowler
Martin Fowler
I
InfoQ
Malwarebytes
Malwarebytes
T
Tor Project blog
Hugging Face - Blog
Hugging Face - Blog
M
MIT News - Artificial intelligence
S
Securelist
T
Tailwind CSS Blog
Blog — PlanetScale
Blog — PlanetScale
P
Proofpoint News Feed
W
WeLiveSecurity
The Register - Security
The Register - Security
Cisco Talos Blog
Cisco Talos Blog
H
Hacker News: Front Page
The Cloudflare Blog
O
OpenAI News
C
CERT Recently Published Vulnerability Notes
Hacker News: Ask HN
Hacker News: Ask HN
NISL@THU
NISL@THU
E
Exploit-DB.com RSS Feed
Scott Helme
Scott Helme
Jina AI
Jina AI
Spread Privacy
Spread Privacy
T
The Exploit Database - CXSecurity.com
T
Troy Hunt's Blog
N
News | PayPal Newsroom
李成银的技术随笔

DEV Community

A Field Guide to Human–AI Relations (For the Newly Bewildered Mortal) The AI Agent That Learns While It Works — A Complete Guide to Hermes Agent Gemma 4: Google's Open-Weight AI Is a Game Changer for Developers Confessions of a Git Beginner: Why the Terminal Stopped Scaring Me 🚀 I Built a Full Stack Miro Clone with Real-Time Collaboration using Next.js Building an African Economic Data Pipeline with Python, DuckDB & World Bank API llms.txt vs robots.txt vs ai.txt: The Developer's Cheat Sheet Business Logic Flaws: How Attackers Skip Steps in Your App to Get What They Should Never Have Why Vibe Coders Need Boilerplates to Save Time, Tokens, and Build More Secure SaaS Projects Idle Cloud Cost Is the New Egress Cost Quark's Outlines: Python Traceback Objects Ghost in the Stack (Part 1): Why uninitialized variables remember old data Building a High-Performance Local Chess Assistant Extension with WebAssembly Stockfish and Manifest V3 Breaking the Trade-off Between Self-Custody and Intelligent Automation on the Stellar Network I Open-Sourced a Practical Fullstack Interview Preparation Repository (React + Node + System Design) 🚀 How I Started Coding as a Student (Beginner-Friendly Guide) WordPress vs. Ghost: Why Automated Bot Attacks Are Making us think much I tested 4 AI agent-governance tools against an open spec - here's the matrix zkML Inference Proof: What the Receipt Proves, and What the Model Still Does Not I Scored 1000/1000 on AWS Certified AI Practitioner (AIF-C01) Here's Every Resource I Used Go - Struct and Interface Handling JSON Requests in Go Storing Kamal secrets in AWS Secrets Manager and deploying to a cheap Hetzner VPS How I Caught and Fixed an N+1 Query in My Django REST API I got tired of paying $10/month to remove image backgrounds – so I built it for free How to Start Coding as a Student: A Complete Beginner’s Guide 🚀 Storing Kamal secrets in AWS Secrets Manager and deploying to a cheap Hetzner VPS What Are Buffers? Build AI Agents with Hot Dev The Client Onboarding Checklist That Prevents 90% of Project Problems Scalable Treasure Hunts Are a Myth, But We Almost Made One Gemini 3.5 Flash Has a 1M Token Context Window. Here's What You Can Actually Build With It. I built a ultra-polished developer portfolio template using React & Tailwind v4 (with zero-JSX configuration) Gemini CLI Is Dead. Here's the Better Thing That Replaced It Post-quantum cryptography for embedded and IoT: secure boot, TLS and OTA Understanding Optimistic Preloading in Modern Applications Nobody Wants to Read Your Code (And You Don't Want to Read Theirs) A clothing pairing app E2B vs E4B vs 31B Dense: The Practical Guide to Choosing the Right Gemma 4 Model I built an AI app store screenshot generator because Figma made me cry — looking for brutal feedback Hello DEV Community — My Developer Journey Begins Adaptable apps on ChromeOS: a post-mortem The WordPress Paradox: Why It’s Here to Stay (and How to Stop Ruining It) I built a local voice AI that can change to 9 different personalities! UXRay: I Built an AI That Roasts Your UI Like a Senior Designer Would Wyrly DI: Type-safe Dependency Injection for Modern TypeScript The contract is the interface: agent-driven Steampipe Stave in one command Gemma 4's Hidden Superpower: Why Built-in Thinking Tokens Change Everything for Evaluation Tasks ⚡ WordPress Performance: The Real Truth They Don't Tell You A Mobile App Usually Needs an Admin System First Customer Portals Should Remove Repeated Admin Work Episode 4: The Time Loop (Layers & Caching) I Built ContextForge with Gemma 4: A Project Memory Generator for Developers and AI Coding Agents Why shadow DOM beat iframe for inline tooltips HOW TO CREATE USER AND ASSIGN ROLES IN AZURE WITH ENTRA ID When AI Blackmail Goes Viral Episode 3: The Secret Scroll (The Dockerfile) Monte Carlo Simulation for Engineers: Turning Uncertainty Into Numbers The tokens-per-byte trap: character-level 'compression' adds tokens Nobody Reads Your Code Anymore Why I built a collection of 5 free, zero-signup career finance tools for solo builders 🚀 New React Challenge: Instant UI with useOptimistic Resolvendo a Alucinação da IA na Arquitetura de Software com Code Property Graphs e .NET 9 S1 — Clean Backtrace Crashes: How to Diagnose and Fix Them Cómo solucionar el bucle infinito en useEffect con objetos y arrays The Brutal Reality of Running Gemma 4 Locally I made Claude Code refuse to write code unless the ticket scores 80/100 I Fed React's Entire Hooks Transition History to Gemma 4. Here's What It Found That We Missed. Building a Private RAG System: Lessons from a Local-First AI Journal CodePulse AI — Reviving an AI-Powered Repository Intelligence Platform How to Split Video into Segments with FFmpeg (CLI + API) I've audited dozens of estate agency websites. The same 5 problems show up every single time. Part 1: Taming Asynchronous JavaScript: How to Build a "Mailbox" Queue Building My AI-Powered VS Code Extension 🚀 Google Login in Express with PassportJS & JWT Great example of Gemma 4 moving beyond chatbots into real-world decision support. Using AI to guide everyday actions like recycling shows how impactful applied LLMs can be when designed for usability, not just capability. #Gemma4 #AI #Sustainability Building a Production AI Chatbot for an Educational Institute: Architecture, Lessons & Full Stack Deep-Dive Google Login in Express with PassportJS & JWT How I reclaimed 47GB on my MacBook by cleaning developer project junk Operators Are Not Oracles: How We Learned to Stop Worrying and Love the Configuration I Built 6 Free Developer Tools for AI APIs, Cron, Docker, and Self-Hosting How I Built a Real-Time Precious Metals Price Feed for 30,000 Concurrent Users in Laravel How to Use a SERP API to Validate Whether a Project Idea Is Worth Building Gemma 4 discussions often focus on capability, but real-world impact depends on deployment context. For offline education, especially in low-connectivity regions, latency, cost, and local inference matter as much as model strength. Local Mind Explores it Space Complexity + Ω and Θ Notations Google I/O 2026 Just Confirmed the Shift From AI Chatbots to AI Agents How to Add API Monitoring to an Express App in 5 Minutes (2026) Designing an In-Game Inflation Tracking Algorithm for Web Utility Apps Google AI Studio Just Changed the Shape of App Development If you struggle to learn then this is for you. Best AI Agent Security & Guardrails Tools in 2026: LLM Guard vs NeMo vs Guardrails AI Building Dynamic RBAC in React 19: From Permission Strings to Component-Level Access Control How to Build a Self-Hosted AI Code Review Tool in Python Why We Switched from React to HTMX in Production: A 200-Site Case Study Gemma-Loom: The Intent-Based Virtual Machine (IVM) for Edge Sovereignty Java实习海投攻略:3天300个沟通,我是怎么拿到面试的 I Deployed Netflix's Web Server in 30 Seconds (And So Can You) - Docker Project 1 Debugging Android 14 WebRTC Disconnects on a coturn Relay Path 1/30 Days System Design Question Testing FastAPI + SQLAlchemy with Real PostgreSQL Fixtures: No More Mocking Misery
Intigriti Challenge 0526 Writeup
Arnav Kumar · 2026-05-23 · via DEV Community

Arnav Kumar

Well this is a typical XSS challenge, you find an injection point and pop and alert. Pretty straightforward, just have to find that injection point.

This month's challenge is a community feed website with register, login page, Testimonials page where you can post and a profile page where you can edit your profile, that's a bunch of potential injection points to test, surely its one of them. and the footer mentions something called SCA Shield v1.0, is it Side Channel Attack?

Upon inspecting the source, all the page content is generated dynamically using a single app.js script. and innerHTML is heavily used throughout the script to inject content, but surprisingly DOMPurify is only used to sanitize the user comment and not their name?

nameDiv.innerHTML = t.user_name;

Enter fullscreen mode Exit fullscreen mode

I thought its the moment, we found an injection point, went and changed name to a typical XSS script and... it didn't work, its the same SCA Shield which was mentioned in the footer, which is preventing us, its a server side check.

we get a message

SCA Shield: Malicious characters detected! Quotes, parenthesis, dots, commas, and semicolons are strictly forbidden.

Enter fullscreen mode Exit fullscreen mode

and this when using script tags

SCA Shield: Malicious payload signature detected!

Enter fullscreen mode Exit fullscreen mode

Well, at least now we have a list of things to remove from our payload and it should just work. it seems it only detects few tags like script and other related words. tags like style, svg just work fine.

I had read about this XSS payload using CSS keyframes, so I thought to give it a try. and it worked.

After a bit of back and forth, I came across this

<style>@keyframes x{}</style><b style=animation-name:x onanimationstart=window[atob`YWxlcnQ=`]`pwned`>

Enter fullscreen mode Exit fullscreen mode

window is blocked, so we use top which points to topmost frame, and in a normal page, its the page itself
alert is blocked, we just base64 it lol, atob isn't blocked
and tagged literals instead of quotes

and it works! 🎉

now for the origin version for domain check, we need to due few modifications.
I released we can just use character hex code equivalents to mask the words since it does exact match, we can use parenthesis now!
replacing a with its equivalent \x61, ( to \x28 and ) to \x29 we have the following:

<style>@keyframes x{}</style><b style=animation-name:x onanimationstart=Function\\x61lert\x28origin\x29\```>

Enter fullscreen mode Exit fullscreen mode

and there you go, we're done!

I submitted it to Intigriti, and they told it was an unintended solution. while i haven't yet gone to an intended solution, i feel its something related to the PixelAnalyticsConfig residing in the app.js and seeing their first hint makes it more probable, but haven't yet explored it.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。