Intigriti 0326 CTF Challenge: Chaining DOM clobbering and CSP bypasses for XSS

At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. This month's challenge, brought forward by Kulindu, presented us with a Secure Search Portal that, on the surface, appeared to be well protected. A strict Content Security Policy and DOMPurify sanitization gave the impression that this month's task of executing an XSS vulnerability would be difficult. But as we'll see, chaining several gadgets together proved other…