OopsSec Store - Walkthroughs

The Roadmap

11 chapters covering the bug classes that ship in real production code, from the obvious versions to the ones that survive a code review.

34
Challenges
11
Chapters
6/18/10
Easy / Med / Hard
33–48h
To finish

By the end you'll have hands-on practice across every bug class shipped in OopsSec Store — covering the full OWASP Top 10 (2025) plus the modern AI and supply-chain attack surface: reconnaissance, broken access control, client-side trust failures, XSS and CSRF, SQL injection, server-side parsers, authentication failures, SSRF, cryptographic mistakes, business logic flaws, AI/LLM attacks, and supply chain compromises. The order is built so the easy bugs sharpen the instincts you'll need for the harder ones.

The most important advice: try each challenge yourself before opening the walkthrough. Skills come from finding the bug, not from reading about it. And one rule that doesn't bend: only apply this to systems you own or are explicitly authorized to test.

Legend Easy Medium Hard

Chapter 01 / 11

Reconnaissance & Disclosure

Most attacks start with reading, not exploiting.

  1. 01 EASY

    Public env variable leak
  2. 02 EASY

    Information disclosure via API errors
  3. 03 MED

    Plaintext passwords in logs

Chapter 02 / 11

Broken Access Control

The bug almost every API has somewhere.

  1. 04 EASY

    Insecure Direct Object Reference (IDOR)
  2. 05 EASY

    Open redirect to login bypass
  3. 06 MED

    Broken Object Level Authorization (BOLA)
  4. 07 MED

    Path traversal in document API

Chapter 03 / 11

Trusting the Client

Whatever the browser sends, the server has to verify.

  1. 08 MED

    Client-side price manipulation
  2. 09 MED

    Mass assignment to admin role
  3. 10 MED

    Middleware bypass (CVE-2025-29927)
  4. 11 HARD

    Race condition coupon abuse

Chapter 04 / 11

Cross-Site Attacks

Your input, running in someone else's browser.

  1. 12 EASY

    Stored XSS in product reviews
  2. 13 EASY

    Self-XSS in profile bio
  3. 14 MED

    CSRF on admin order update
  4. 15 HARD

    CSRF + Self-XSS profile takeover
    13 14

Chapter 05 / 11

SQL Injection Deep Dive

One quote, one query, one breach.

  1. 16 MED

    SQL injection in order search
  2. 17 MED

    Product search SQLi
  3. 18 HARD

    X-Forwarded-For SQLi
    16 17
  4. 19 HARD

    Second-order SQL injection
    16 17

Chapter 06 / 11

Parsers Behaving Badly

Parsers go where your business logic can't.

  1. 20 HARD

    Malicious file upload (SVG XSS)
  2. 21 HARD

    XXE in supplier order import

Chapter 07 / 11

Authentication Failures

Login is a feature. Auth is a system.

  1. 22 MED

    Weak JWT secret
  2. 23 MED

    Brute force, no rate limiting
  3. 24 MED

    Session fixation
  4. 25 MED

    Insecure password reset

Chapter 08 / 11

Server-Side Request Forgery

Make the server fetch what you can't.

  1. 26 MED

    SSRF internal page access

Chapter 09 / 11

Cryptography Done Wrong

Modern crypto is safe by default. Until it isn't.

  1. 27 MED

    Weak MD5 password hashing
  2. 28 MED

    Insecure randomness in gift cards
  3. 29 HARD

    AES-CBC padding oracle

Chapter 10 / 11

AI & LLM Security

The new attack surface nobody trained for.

  1. 30 MED

    Prompt injection in AI assistant
  2. 31 HARD

    MCP malicious server

Chapter 11 / 11

Supply Chain & Framework

Your code is fine. The 800 packages around it aren't.

  1. 32 HARD

    npm typosquat
  2. 33 MED

    AI rules file backdoor
  3. 34 HARD

    react2shell (CVE-2025-55182)

End of the line

You made it through.

If you reached this point by finding each bug yourself before opening the walkthrough, you've built the instincts that matter: the same ones that flag real vulnerabilities in real code reviews. Congratulations.

Drop your name in the Hall of Fame if you flagged everything. And if you know a vulnerability pattern that belongs in here, open a pull request . New challenges are always welcome.