Practice Real-World Web Security Vulnerabilities

An open-source, deliberately vulnerable e-commerce application designed for web security training, penetration testing, and ethical hacking. Master OWASP Top 10 vulnerabilities including XSS, SQL injection, CSRF, IDOR, and more in a realistic production-like environment.

View on GitHub Get Started
OSS OopsSec Store vulnerable web application interface showing e-commerce features for security training and penetration testing

About OSS – OopsSec Store

OSS – OopsSec Store is a free, open-source, deliberately vulnerable e-commerce application designed for web security training, penetration testing practice, and ethical hacking education. Built with modern web technologies including Next.js, React, and TypeScript, this security training platform simulates real-world web application vulnerabilities in a safe, controlled environment.

This security practice platform is ideal for developers learning secure coding practices, security engineers honing their penetration testing skills, cybersecurity students studying application security (AppSec), and anyone interested in understanding how common and advanced web vulnerabilities actually behave in production-like applications. The application includes multiple intentional security flaws covering OWASP Top 10 vulnerabilities such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR), weak authentication mechanisms, and more.

Each vulnerability is fully documented with detailed explanations, attack vectors, and remediation strategies, making it an excellent resource for security training, CTF competitions, and hands-on security labs.

⚠️ Important: This application contains intentional security vulnerabilities and must never be deployed in a production environment. Use only in isolated, controlled environments for educational purposes.

Security Training Features

  • 🎯

    Realistic Vulnerabilities

    Experience authentic security flaws found in real-world e-commerce applications, including OWASP Top 10 vulnerabilities like XSS, SQL injection, CSRF, IDOR, weak authentication, and insecure deserialization

  • 🔐

    Modern Attack Scenarios

    Practice penetration testing techniques on modern Single Page Application (SPA) and REST API architectures, simulating real-world attack scenarios used by security professionals and ethical hackers

  • 📚

    Comprehensive Documentation

    Each vulnerability includes detailed documentation covering attack vectors, exploitation methods, impact assessment, and secure coding practices for remediation

  • 🎓

    Hands-On Learning Platform

    Perfect for security training, CTF competitions, security labs, and application security education. Learn by doing in a safe, controlled environment designed for ethical hacking practice

Getting Started with Security Training

Quick Setup for Penetration Testing

Get started with web security training in minutes. Clone the repository and run the setup script to install dependencies, initialize the database with sample data, and launch the vulnerable application: 

git clone https://github.com/kOaDT/oss-oopssec-store.git
cd oss-oopssec-store
npm run setup

Once the application is running, you can begin practicing penetration testing techniques, exploring security vulnerabilities, and learning ethical hacking skills in a safe environment. The application includes multiple security flaws to discover and exploit, each documented with detailed explanations.

Open Source Security Training Platform

OSS – OopsSec Store is released as open source under the MIT License, making it freely available for security training, educational purposes, and ethical hacking practice.

We welcome contributions from the security community to help improve this security training platform. Here are some ways you can contribute to advancing web security education:

Add New Security Vulnerabilities

Contribute new security vulnerabilities and CTF flags. Add flags in the seed.ts file and create comprehensive markdown documentation in content/vulnerabilities following the format vulnerability-name.md. Flags must follow the format OSS{...}. Help expand the security training content with new OWASP vulnerabilities and attack scenarios.

Develop E-commerce Features

Enhance the e-commerce functionality to create more realistic attack surfaces. Evolve the database model, create customer and admin back offices, implement order management systems, and add new features that can accommodate additional security vulnerabilities for penetration testing practice.

Fix Non-Intentional Bugs

Help maintain code quality by fixing UI/UX bugs or functionality issues that are not intentional security vulnerabilities. Ensure the application provides the best possible security training experience.

Improve Security Documentation

Enhance vulnerability documentation, fix spelling mistakes, add more detailed attack explanations, and improve the overall educational value of the security training materials.

Legal Notice & Security Disclaimer

This vulnerable web application is provided exclusively for educational purposes, security training, penetration testing practice, and ethical hacking education.

The application contains intentional security vulnerabilities, insecure configurations, and deliberately exploitable code. It is designed for use in isolated, controlled environments only. The authors and contributors assume no responsibility for misuse, unauthorized access, or deployment in production environments. Use this security training platform responsibly and only for legitimate security education and ethical hacking practice.