Tanuki is a flashcard web app with an XML-based deck export and a JSON-driven restore endpoint. The server secretly round-trips your JSON through an XML template with DTD processing enabled — giving you a path to read arbitrary files off the server without any out-of-band channel. Your goal is to exfiltrate the flag at /app/flag.txt entirely in-band.
Objetivo: Inject XML-special characters into a JSON field value and observe the server's response to confirm that the data passes through an XML parser.
Contexto: A value that returns [object Object] instead of the literal string you sent is a strong signal that the server is treating your input as XML markup rather than plain text. This is not SSTI — it is evidence of a JSON-to-XML round-trip.
Revela solo las que necesites. Claude lleva la cuenta de cuántas usaste para calibrar la retroalimentación.
What happens when you put XML markup characters (like angle brackets) inside a JSON string value? Watch what comes back when you read the created deck.
Set the description field to a value containing XML tags, e.g. "<test>". Retrieve the created deck and compare what the stored description says versus what you sent.
POST restore with {"name":"probe","description":"<test>","category":"c","cards":[]}. Then GET /api/decks/<new-id>. If description comes back as [object Object], the server parsed <test> as an XML child node — your JSON values are being interpolated raw into XML and re-parsed.
¿Te gusta Hintru? Buy me a coffee ☕ ☕