OopsSec Store

An intentionally vulnerable e-commerce application for hands-on web security training. Master real-world attack vectors through a realistic Capture The Flag platform. Hunt for flags, exploit vulnerabilities, and level up your security skills.

$ npx create-oss-store
$ cd oss-oopssec-store && npm start

# → Open http://localhost:3000 and start hunting flags

Read the blog posts or check README for more info.

Social Links:

Recent Posts

Second-Order SQL Injection: When Trusted Data Turns Hostile

kOaDT

12 Feb, 2026

How a crafted display name stored through a product review becomes a SQL injection payload when an admin filters reviews on the moderation panel.
Malicious File Upload: Stored XSS via SVG

kOaDT

7 Feb, 2026

Exploiting insufficient file upload validation to achieve stored cross-site scripting through malicious SVG files that execute JavaScript for every visitor.
Brute Force Attack: Exploiting a Login Endpoint With No Rate Limiting

kOaDT

1 Feb, 2026

Exploiting the absence of rate limiting on a login endpoint to brute force a user password using a common wordlist.
Broken Object Level Authorization: Accessing Private Wishlists

kOaDT

31 Jan, 2026

Exploiting a Broken Object Level Authorization vulnerability in OopsSec Store's wishlist feature to access other users' private wishlists and retrieve sensitive internal data.
Prompt Injection: Extracting Secrets from the AI Assistant

kOaDT

26 Jan, 2026

Exploiting prompt injection vulnerabilities in OopsSec Store's AI customer support assistant to bypass safety filters and extract confidential information embedded in the system prompt.
SQL Injection via X-Forwarded-For Header: Exploiting IP Tracking

kOaDT

24 Jan, 2026

Exploiting a SQL injection vulnerability in OopsSec Store's visitor tracking by injecting malicious payloads through the X-Forwarded-For HTTP header.
Stored XSS in Product Reviews

kOaDT

23 Jan, 2026

Exploiting stored cross-site scripting in OopsSec Store's product review functionality to execute JavaScript in every visitor's browser.
JWT Weak Secret: Cracking the Key to Forge Admin Access in OopsSec Store

kOaDT

23 Jan, 2026

Exploiting a JWT implementation that uses a weak signing secret to crack the key, forge admin credentials, and access restricted endpoints.
Chaining SQL Injection and Weak MD5 Hashing to Compromise the Admin Account

kOaDT

21 Jan, 2026

Exploiting a database leak combined with weak MD5 password hashing to gain administrative access.
Insecure Direct Object Reference: Unauthorized Order Access

kOaDT

20 Jan, 2026

Exploiting an insecure direct object reference vulnerability in OopsSec Store to access other customers' order details.

All Posts

OopsSec Store

Recent Posts

Second-Order SQL Injection: When Trusted Data Turns Hostile

Malicious File Upload: Stored XSS via SVG

Brute Force Attack: Exploiting a Login Endpoint With No Rate Limiting

Broken Object Level Authorization: Accessing Private Wishlists

Prompt Injection: Extracting Secrets from the AI Assistant

SQL Injection via X-Forwarded-For Header: Exploiting IP Tracking

Stored XSS in Product Reviews

JWT Weak Secret: Cracking the Key to Forge Admin Access in OopsSec Store

Chaining SQL Injection and Weak MD5 Hashing to Compromise the Admin Account

Insecure Direct Object Reference: Unauthorized Order Access