How a DOM clobber, a component hijack, and a hidden JSONP endpoint gave me full cookie exfiltration through DOMPurify + CSP + SANITIZE_DOM in the Intigriti March 2026 XSS challenge. From reading source code to stealing the admin bot’s flag cookie in 2 seconds.
Press enter or click to view image in full size
First things first. Huge shoutout to @KulinduKodi for designing this challenge. The layered defense approach with DOMPurify + CSP + SANITIZE_DOM made this one of the most satisfying exploit chains I have ever assembled. And a big thanks to the Intigriti team for dropping those hints and publishing the custom wordlist blog post right when I was about to throw my laptop out the window. That nudge saved my sanity.
Press enter or click to view image in full size
The Challenge: What Are We Up Against?
Picture this. You land on a sleek, dark-themed portal called ThreatCenter — a “Secure Search Portal.” There is a search box at the top. You type a query, it gets processed, and results appear on the page. Simple enough on the surface.
Under the hood, here is what happens when you search for something. The application takes your…