Tanuki

A recurring daily challenge — each entry covers a different vulnerability. Listed oldest to newest.

BugForge - Daily - Tanuki (Dec 30, 2025)

This vulnerability is a mass assignment-driven privilege escalation where the application trusts client-supplied input during user registration and allows…

Mass Assignment

Posted on 2025-12-30 20:00 4 min read

BugForge - Daily - Tanuki (Jan 6, 2026)

This challenge demonstrates an XML External Entity (XXE) vulnerability exploitable through XInclude processing in the Import Deck functionality. While…

XXE

Posted on 2026-01-06 20:00 4 min read

BugForge - Daily - Tanuki (Jan 13, 2026)

This challenge demonstrates an Insecure Direct Object Reference (IDOR) vulnerability in the Tanuki flashcard application's statistics API endpoint. After…

IDOR

Posted on 2026-01-13 20:40 5 min read

BugForge - Daily - Tanuki (Jan 20, 2026)

This challenge demonstrates a classic XML External Entity (XXE) vulnerability introduced through a server-side XML file upload feature exposed via the Import…

XXE

Posted on 2026-01-20 20:02 5 min read

BugForge - Daily - Tanuki (Jan 27, 2026)

This challenge demonstrates an Insecure Direct Object Reference (IDOR) vulnerability in the profile update functionality. The application passes the username…

IDOR Broken Access Control

Posted on 2026-01-27 20:00 4 min read

BugForge - Daily - Tanuki (Feb 3, 2026)

This challenge demonstrates a Server-Side Request Forgery (SSRF) vulnerability in the Tanuki application's leaderboard functionality. The application exposes…

SSRF

Posted on 2026-02-03 20:00 4 min read