Content Security Policy on Giuseppe D'Andrea https://giuseppedandrea.it/tags/content-security-policy/ Recent content in Content Security Policy on Giuseppe D'Andrea Hugo en Tue, 24 Mar 2026 00:00:00 +0000 Intigriti Challenge 0326 - Write-Up https://giuseppedandrea.it/posts/intigriti-challenge-0326/ Tue, 24 Mar 2026 00:00:00 +0000 https://giuseppedandrea.it/posts/intigriti-challenge-0326/ <h2 id="introduction"> Introduction <a class="heading-link" href="#introduction"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Hi folks! This write-up documents my solution to <a href="https://challenge-0326.intigriti.io/" class="external-link" target="_blank" rel="noopener">Intigriti&rsquo;s March 2026 Challenge</a> created by <a href="https://x.com/KulinduKodi" class="external-link" target="_blank" rel="noopener">Kulindu</a>. The goal was to find a hidden flag (in the format <code>INTIGRITI{.*}</code>) by exploiting a chain of client-side vulnerabilities in a fictional threat intelligence portal called &ldquo;Secure Search Portal&rdquo;.</p> <p>This was a really fun and creative challenge! Let&rsquo;s dive into the solution!</p> <div class="notice warning"> <div class="notice-title"> <i class="fa-solid fa-exclamation-triangle" aria-hidden="true"></i>Warning </div> <div class="notice-content"><strong>Spoiler Alert!</strong> This write-up contains the complete solution with detailed exploitation steps. If you want to attempt the challenge yourself first, stop reading now and head over to the <a href="https://challenge-0326.intigriti.io/" class="external-link" target="_blank" rel="noopener">challenge page</a>!</div> </div> <h2 id="source-code-analysis"> Source code analysis <a class="heading-link" href="#source-code-analysis"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>The challenge presents a &ldquo;Secure Search Portal&rdquo;, a search interface that reflects user input back onto the page and allows users to report URLs to an admin.</p>