Catalog Card
A boutique fountain-pen shop that takes its product copy seriously. The store front is tidy; the index the store hands to search engines knows about a few more pages than the navigation does.
The Scenario
Catalog Card is a small Pacific-Northwest fountain-pen shop. The staff write long product copy and unpublished "behind-the-counter" notes — early drafts, supplier conversations, pricing experiments. The drafts aren't linked from the storefront. Crawlers shouldn't be able to reach them. Someone forgot how a sitemap works.
Challenge Intel
Synopsis
A Sinatra-generated /sitemap.xml lists unlinked /drafts/<id> URLs; one draft's body is the flag.
What It Is
The product catalog is paged + indexed for search-engine discoverability. The /sitemap.xml endpoint is auto-generated from the database — and the developer forgot to filter to only published rows. It therefore lists every /products/<slug> URL plus every /drafts/<id> URL. The drafts are not linked from any storefront page, but they are reachable directly. One draft contains a short note whose body IS the flag.
Who It's For
Players who have used robots.txt for recon and want to graduate to sitemap.xml mining for unlinked content.
Skills You'll Practice
- Reading sitemap.xml as an enumeration source
- Distinguishing linked vs unlinked content on a real catalog
What You'll Gain
- A reflex to check sitemap.xml on every target, not just robots.txt
- Understanding why sitemap generators must filter by publish state
Ready to hack Catalog Card?
Upgrade to Pro to unlock this challenge and the full library.