____ ____ ____ ____ ____ ____ _
/ __ \/ __// __/ / __ \ ___ ___ ___ / __/ ___ ____ / __/ / /_ ___ ____ ___
/ /_/ /\ \ _\ \ / /_/ // _ \ / _ \(_-<_\ \ / -_)/ __/_\ \ / __// _ \ / __// -_)
\____/___//___/ \____/ \___// .__/___/___/ \__/ \__//___/ \__/ \___//_/ \__/
/_/
$ npx create-oss-store
$ cd my-oss-store && npm run dev
→ Open http://localhost:3000 and start hunting flags
An intentionally vulnerable e-commerce application for hands-on web security training.
Master real-world attack vectors through a realistic Capture The Flag platform. Hunt for flags, exploit vulnerabilities, and level up your security skills.
Contributing | Roadmap | WriteUps
OSS – OopsSec Store is an open-source, intentionally vulnerable e-commerce application built with Next.js and React. It provides a realistic environment to learn and practice web application security testing, including OWASP Top 10 vulnerabilities, API security flaws, and modern frontend attack vectors.
Designed for penetration testers, security engineers, developers, and cybersecurity students, this project demonstrates how real-world vulnerabilities manifest in production-like single-page applications (SPA) with REST APIs.
Warning: This application contains intentional security flaws and must never be deployed in a production environment.
- Realistic e-commerce application with intentional security vulnerabilities (XSS, CSRF, IDOR, JWT attacks, path traversal, and more)
- Modern tech stack: Next.js, React, Prisma
- API security testing environment with documented attack vectors
- Capture The Flag (CTF) challenges with hidden flags to discover
- Comprehensive vulnerability documentation for learning and training
- Suitable for security awareness training, penetration testing practice, and AppSec education
npx create-oss-store my-ctf-lab
cd my-ctf-lab
npm run devThen open http://localhost:3000 in your browser.
Alternatively, clone the repository and run the setup script:
git clone https://github.com/kOaDT/oss-oopssec-store.git
cd oss-oopssec-store
npm run setupThe setup script will create the .env file, install dependencies, initialize the SQLite database, seed it with CTF flags, and start the application on port 3000.
| Folder | Description |
|---|---|
app/ |
Next.js App Router – pages, API routes, and React components |
app/api/ |
REST API endpoints (auth, cart, orders, products, flags, etc.) |
app/components/ |
Reusable React UI components (Header, Footer, ProductCard, etc.) |
app/vulnerabilities/ |
Pages documenting each security vulnerability |
content/vulnerabilities/ |
Markdown files describing vulnerabilities, attack vectors, and solutions |
lib/ |
Shared utilities: database client, authentication, API helpers, types |
prisma/ |
Database schema, migrations, and seed script with CTF flags |
public/ |
Static assets and exploit payloads (e.g., CSRF attack demo) |
hooks/ |
Custom React hooks (authentication, etc.) |
scripts/ |
Setup and automation scripts |
docs/ |
Static documentation site |
packages/ |
NPM package create-oss-store for quick project scaffolding |
This project is intended for educational and authorized security testing purposes only.
It contains intentional security vulnerabilities and insecure configurations. The authors assume no responsibility for any misuse, damage, or unauthorized access resulting from the use of this software. Use responsibly and only in isolated environments.
OSS – OopsSec Store is released under the MIT License. Contributions from the security community are welcome.
Ways to contribute:
- Add new security challenges
- Extend the application
- Report and fix bugs
- Improve documentation
Looking for ideas? Check out our ROADMAP.md for planned features and vulnerabilities you can help implement.
For issues or suggestions, please open a GitHub Issue.
For contribution guidelines, see CONTRIBUTING.md.